The David vs. Goliath story often plays out on sports fields, where the underdog sometimes triumphs. A similar scenario occurred in the legal field, particularly concerning personal data, which is becoming an increasingly valuable commodity in modern business.

In 2020, Maximillian Schrems challenged Facebook Ireland at the European Court of Human Rights (ECHR), with the result favoring Schrems 2-0. This victory led to the Schrems II ruling and the European Data Protection Board (EDPB) issuing guidance in June 2021.

Prior to the Schrems II ruling, personal data transfers from the EU to the US were compliant with the EU-US Privacy Shield or Standard Contractual Clauses (SCCs) approved by the EDPB. However, Schrems II changed this, raising the question of what now constitutes a lawful transfer.

Moving forward, each case will need to assess whether data transfers to non-EU countries—those without an adequacy decision for personal data protection—meet the required standard. This process involves thorough due diligence of the relevant country’s legislation to determine if it offers an equivalent level of protection. If not, additional safeguards will be necessary for the transfer to be lawful.

The rise of remote work and cloud computing during the COVID-19 pandemic has further complicated the situation.

In March 2022, the European Commission and the United States announced an agreement in principle on a new Trans-Atlantic Data Privacy Framework, which aims to address the concerns raised by the Schrems II ruling and facilitate secure data flows between the EU and the US.

In connection to this, if you have concerns about this subject, please contact our attorney Ivan Ljubisavljevic at ivan.ljubisavljevic@zslaw.rs or your regular contact at Zivkovic Samardzic Law Office.