The Schrems II Case and its impact on the personal data transfer between EU and Non-EU countries

by ZS Law

Many times we have witnessed the clashes between David and the Goliath on the sports fields. Many times Goliath has won. But sometimes, David wins and those wins – those victories are always remembered.

Something similar has happened in law, in an area that has become especially important in recent years, an area related to personal data that is slowly becoming the most valuable currency in modern business.

The year is 2020, and the place of battle is ECHR, Maximillian Schrems as David and Facebook Ireland as Goliath. The result is II – 0 in favour of our David while the repercussion of the victory is the Schrems II  Guidance issued by the European Data Protection Board (EDPB) on the 28th of June 2021.

Before the Shrems II, for the transfer of personal data from the EU to the US, it was enough to comply with the requirements stated by the EU-US Privacy Shield, ie to apply the standard contractual clauses (SCCs) approved by the EDPB. Now, it is not enough.

But what is? That is the question that will give us a headache in the future while the answer will have to be fined on a case-by-case basis. Not only for the export of personal data to the States but also to all Non-EU countries that do not have a confirmed adequacy status for their level of personal data protection.

For the export to the Non-EU, the comprehensive due diligence of the legislation in question will be required which should give us an answer to the one question – whether this country has an equivalent level of personal data protection. The answer to this question will determine whether such exports are lawful or not or whether is it necessary to implement an additional security mechanism for such exports to be lawful.

The rise of remote work as a result of a pandemic caused by the COVID-19 virus and cloud computing complicates an already complicated situation even more.

In March 2022, The European Commission and the United States announce that they have agreed in principle on a new Trans-Atlantic Data Privacy Framework, which will foster trans-Atlantic data flows and address the concerns raised by the Schrems II decision.

In connection to this, if you have concerns about this subject, please contact our attorney Ivan Ljubisavljevic at ivan.ljubisavljevic@zslaw.rs or your regular contact at Zivkovic Samardzic Law Office.


Schrems II Case i njegov uticaj na razmenu podata o ličnosti između EU i Non EU zemalja

Mnogo puta smo na sportskim terenima gledali okršaje Davida i Golijata. Mnogo puta Golijat je pobeđivao. Samo ponekad, desi se da David pobedi – te pobede uvek se posebno pamte.

Nešto slično desilo se i u pravu, u oblasti koja poslednjih godina posebno dobija na značaju, oblasti koja se odnosi na podatke o ličnosti koji polako postaju najvrednija valuta savremenog poslovanja.

Godina je 2020, mesto okršaja ECHR, Maximillian Schrems u ulozi David a Facebook Ireland u ulozi Golijata. Rezultat je II – 0 za Davida a posledica pobede je Schrems II Guidance izdata od strane Evropskog odbora za zaštitu podataka (EDPB) dana 28.06.2021. godine.

U najkraćem, pre Shrems II, za prenos podataka o ličnosti iz EU u US bilo je dovoljno ispoštovati zahteve propisane EU–US Privacy Shield-om, odnosno primeniti standardne ugovorne klauzule koje je odobrio EDPB. Sada to nije. Šta jeste, pitanje je koje će ubuduće mučiti mnoge a odgovora će se davati od slučaja do slučaja. I to ne samo za izvoz podataka o ličnost u US već i u sve Non EU zemlje koje nisu na listi zemalja koje garantuju primereni nivo zaštite podataka o ličnost.

Za ove Non EU zemlje biće potrebno sprovesti sveobuhvatan due diligence koji bi trebao da dá odgovor na jedno pitanje – da li zemlja u koju će se uvoziti podaci o ličnosti garantuje primereni nivo zaštite podataka o ličnost. Od odgovora na ovo pitanje zavisiće da li je takav izvoz uopšte dozvoljen, odnosno da li je neophodno implementirati dodatne bezbednosne mere kako bi takav izvoz bio dozvoljen.

Rad od kuće kao posledica pandemije izazvane virusom COVID-19 i cloud computing dodatno otežavaju već dovoljno komplikovanu situaciju.

U martu 2022. godine započeti su pregovori između Evropskog odbora za zaštitu podataka i US u cilju pripreme Privacy Shield II a za očekivati je da će do kraja godine izaći sa novim Trans-Atlantic Data Privacy Framework-om.

Ako imate pitanja u vezi sa ovom temom, pratite naše objave i/ili kontaktirajte adv Ivana Ljubisavljevića ivan.ljubisavljevic@zslaw.rs ili Vašu osobu za redovan kontakt u advokatskoj kancelariji Živković Samardžić.

You may also like