The Schrems-II decision from the Court of Justice of the European Union is by now almost a year ago. A permanent solution – a replacement for the annulled Privacy Shield – is not yet in sight. New standard contractual clauses (SCCs) do seem to be on the horizon, but will not be as foolproof as they were in the past, given that for many destinations supplementary safeguards may need to be agreed upon. In the meantime, the data protection authorities in Europe have received quite a number of complaints (the exact number has not been released) regarding international data transfers. The first cases have now come to a conclusion. What are some of the lessons learned so far?
The main decisions on post Schrems-II international data transfers to date have been issued by the data protection authorities in Bavaria (Germany), France and Portugal. In Bavaria, the case evolved around a company using a U.S. email newsletter platform. The German company had put in place SCCs with the newsletter platform, but had not done any assessment of the risks involved in the data transfer, nor agreed upon supplementary measures. The Bavarian DPA, considering the newsletter platform should be seen as an electronic communication service provider, subject to FISA Section 702, therefore suspended the data transfer.
In France, both the CNIL and the Conseil d’État, the supreme administrative court, voiced concerns about the use of Microsoft Azure for the new government Health Data Hub. The HDH is a platform that would allow for the collection and exchange of health data of French citizens, to be used for research purposes. Especially given the sensitive nature of the data involved, the use o ..
Support the originator by clicking the read the rest link below.
