[co-author: Silvia Lopez Arnao]
The Belgian Data Protection Authority (DPA) has published brief guidance concerning the European Court of Justice (ECJ) judgement on the European Commission’s adequacy decision provided by the EU-US data Privacy Shield (Schrems II). The DPA’s guidance summarizes the conclusions of the Court, advises companies to consult the European Data Protection Board ("EDPB’s") related FAQ, and explains that the Belgian DPA is investigating the consequences of Schrems II in close collaboration with its counterparts at the EDPB.
On 31 August 2020, the Belgian DPA published some guidance following the ECJ judgement in Case C-311, commonly known as the "Schrems II" decision. This guidance provides a summary of the judgement, that declared the European Commission's Decision on the adequacy of the protection provided by the EU-US data protection shield invalid.
The DPA guidance also refers to the European Commission's Decision 2010/87 on standard contractual clauses for the transfer of personal data to processors established in third countries. The Authority highlights the fact that exporters established in the EU are required to suspend or terminate the transfer whenever the standard data protection clauses are not or cannot be complied with in the third country to which data is to be exported. If exporters do not suspend, the national supervisory authorities of the relevant EU member State must do so if they consider it necessary.
the DPA acknowledges that the ECJ judgement will result in consequences for controllers and processors who transfer personal data to third countries. These consequences are currently being examined by the EDPB in collaboration with the Belgian DPA and the competent national authorities of the other EU Member States. In this regard, companies are invited to consult the Frequently Asked Questions published by the EDPB.