EDPB adopts statement on the CJEU’s ruling in Facebook Ireland v Schrems.

During its 34th plenary session, the European Data Protection Board (EDPB) adopted a statement on the CJEU’s ruling in Facebook Ireland v Schrems, which invalidated the adequacy of the protection provided by the EU-US Privacy Shield and considered the Commission Decision on Standard Contractual Clauses (SCC) for the transfer of personal data to processors established in third countries valid. With regard to the Privacy Shield, the EDPB pointed out that the EU and the U.S. should achieve a complete and effective framework guaranteeing that the level of protection granted to personal data in the U.S. essentially equivalent to that guaranteed within the EU, in line with the judgment. As regards Standard Contractual Clauses, the EDPB took note of the primary responsibility of the exporter and the importer, when considering whether to enter into SCCs, to ensure that these maintain a level of protection that is essentially equivalent to the one guaranteed by the GDPR in light of the EU Charter. When performing such prior assessment, the exporter (if necessary, with the assistance of the importer) shall take into consideration the content of the SCCs, the specific circumstances of the transfer, as well as the legal regime applicable in the importer’s country. The Court underlines that the exporter may have to consider putting in place additional measures to those included in the SCCs.