Schrems II Judgment on Cross Border Personal Data Flows Under EU-US Privacy Shield Mechanism: Good Diagnosis, Vague Prescription

Subhrarag Mukherjee, Senior Legal Counsel – Strategic Alliances (North America & Worldwide), Hewlett Packard Enterprise

In the case of Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems [C-311/18] decided on July 16, 2020, the Court of Justice of the European Union with immediate effect invalidated the EU-US Privacy Shield mechanism for failing to provide protection equivalent to the EU GDPR regime. The EU-US Privacy Shield mechanism was a framework that was negotiated by the US Department of Justice and the European Commission as being adequate for enabling organizations to transfer personal data from the EU to the US. This article critically analyzes the judgment and its impact on various stakeholders - the EU based data exporter; the data recipient based in the US/third party country; national data protection authorities in the various EU nations; the US Government and the data owners based in the EU. This article also reviews the adequacy of other mechanisms for data transfer (like Binding Corporate Rules) and recommends certain additional safeguards that corporate organizations can consider to mitigate the risk of personal data transfer being invalidated on the ground of inadequacy of protection in the recipient country.

Read full paper Subscribe to the IICJ
India Data Protection IT October 2020 Vol.13, No. 53, Autumn 2020

Subhrarag Mukherjee

More

I am a Senior Legal Counsel in Hewlett Packard Enterprise (HPE) overseeing the legal support for all Strategic Alliance relationships/projects of the company for North America & Worldwide regions.

Hewlett Packard Enterprise

More

Hewlett Packard Enterprise is an Information Technology MNC focussed on providing various kinds of IT hardware and software products and system integration services to its enterprise clients across the world.

India Data Protection IT October 2020 Vol.13, No. 53, Autumn 2020