Skip to main content

LUP Student Papers

LUND UNIVERSITY LIBRARIES

Schrems Cases: Are Rules Clarified?

Xu, Ke LU (2022) HARN63 20221
Department of Business Law
Abstract
According to General Data Protection Regulation (GDPR), there are “equivalent adequate” (Article 45), “appropriate safeguards” (Article 46), “derogations” (Article 49) as options to perform the cross- border data transfer. Privacy Shield, together with its predecessor Safe Harbor, was introduced with the purpose to facilitate the data transfer between EU and the United States in compliance with EU laws. The data transfers made under the Safe Harbor and Privacy Shield were deemed to meet the “equivalent adequate” requirements, and thus relied by business organizations as the legal basis. The Edward Snowden leaks put the surveillance programs of the United States under the focusing light and such trigger point finally led to the invalidation... (More)
According to General Data Protection Regulation (GDPR), there are “equivalent adequate” (Article 45), “appropriate safeguards” (Article 46), “derogations” (Article 49) as options to perform the cross- border data transfer. Privacy Shield, together with its predecessor Safe Harbor, was introduced with the purpose to facilitate the data transfer between EU and the United States in compliance with EU laws. The data transfers made under the Safe Harbor and Privacy Shield were deemed to meet the “equivalent adequate” requirements, and thus relied by business organizations as the legal basis. The Edward Snowden leaks put the surveillance programs of the United States under the focusing light and such trigger point finally led to the invalidation of Safe Harbor and Privacy Shield by the Courts of Justice of the European Union (CJEU) in Schrems I and II respectively in 2015 and 2020.
In the absence of “equivalent adequate” protection, the most commonly used legal mechanism is Standard Contractual Clauses (SCCs) as “appropriate safeguards”. Originally the data exporter only attached the SCCs in the agreement with importer without need to make further assessment of the legal regime and data protection in the country of importer. After Schrems, Although SCCs were not invalidated by CJEU, but they were decided as insufficient by themselves and thus must have “supplementary safeguards” to reach the level of “equivalent adequate” protection. However, the CJEU did not further clarify what are “supplementary safeguards”, which brought legal uncertainty to the EU-U.S. cross-border data transfer and was arguably by critics to obscure the differences between “equivalent adequate” and “appropriate safeguards”.
The two main “derogation” are consent and necessity. Although the CJEU pointed out that there would be no “legal vacuum” in the absence of adequacy and safeguards, the strictly necessary application conditions have made such “derogation” applied only in limited circumstances. (Less)
Please use this url to cite or link to this publication:
author
Xu, Ke LU
supervisor
organization
course
HARN63 20221
year
type
H1 - Master's Degree (One Year)
subject
keywords
Schrems Case, Data Protection, Cross Border Data Flow, GDPR, Privacy Shield
language
English
id
9086432
date added to LUP
2022-06-17 11:03:26
date last changed
2022-06-17 11:03:26
@misc{9086432,
  abstract     = {{According to General Data Protection Regulation (GDPR), there are “equivalent adequate” (Article 45), “appropriate safeguards” (Article 46), “derogations” (Article 49) as options to perform the cross- border data transfer. Privacy Shield, together with its predecessor Safe Harbor, was introduced with the purpose to facilitate the data transfer between EU and the United States in compliance with EU laws. The data transfers made under the Safe Harbor and Privacy Shield were deemed to meet the “equivalent adequate” requirements, and thus relied by business organizations as the legal basis. The Edward Snowden leaks put the surveillance programs of the United States under the focusing light and such trigger point finally led to the invalidation of Safe Harbor and Privacy Shield by the Courts of Justice of the European Union (CJEU) in Schrems I and II respectively in 2015 and 2020.
In the absence of “equivalent adequate” protection, the most commonly used legal mechanism is Standard Contractual Clauses (SCCs) as “appropriate safeguards”. Originally the data exporter only attached the SCCs in the agreement with importer without need to make further assessment of the legal regime and data protection in the country of importer. After Schrems, Although SCCs were not invalidated by CJEU, but they were decided as insufficient by themselves and thus must have “supplementary safeguards” to reach the level of “equivalent adequate” protection. However, the CJEU did not further clarify what are “supplementary safeguards”, which brought legal uncertainty to the EU-U.S. cross-border data transfer and was arguably by critics to obscure the differences between “equivalent adequate” and “appropriate safeguards”.
The two main “derogation” are consent and necessity. Although the CJEU pointed out that there would be no “legal vacuum” in the absence of adequacy and safeguards, the strictly necessary application conditions have made such “derogation” applied only in limited circumstances.}},
  author       = {{Xu, Ke}},
  language     = {{eng}},
  note         = {{Student Paper}},
  title        = {{Schrems Cases: Are Rules Clarified?}},
  year         = {{2022}},
}