I am and still attending a great session hosted by the IAPP on the Schrems II decision and Privacy Shield consequence, i.e. it is no longer a legal mechanism for data transfer from the EU to the US.
Miriam Wegmeister was a great panelist and gave some great insights, very practical and cool lady!
Practical steps as follows:
- There were some revised SCCs drafted even before this decision which can be used.
- Look at other mechanisms, e.g. transfers subject to appropriate safeguards (Article 46). What jumps out at me are (e) Code of Conduct, and (f) Certification.
- Art 49 normally only to be used in exceptional circumstances, maybe the Commission can relax on this. Art 49 is derogations for international transfers, my favourite (not) legal subject. It makes sense, as it is similar to Art 6, with some variations.
The decision is that Privacy Shield is not legal anymore, stop, no grace period, however looking at the UK Information Commissioner website and voila, they are recommending to “continue using Privacy Shield until new guidance becomes available” but do not start using Privacy Shield.
Although grace period was not officially declared, I don’t think that tomorrow DPAs will immediately start their enforcement in relation to those who duly implemented Privacy Shield mechanisms and principles 🙂
UK Government response to Schrems https://www.gov.uk/government/news/uk-government-response-to-the-european-court-of-justice-decision-in-the-schrems-ii-case