On 29 September, IFRRO organised a webinar on the “Schrems II” judgment, which was delivered by the Court of Justice of the European Union (CJEU) on 16 July 2020 and concerns the transfer of personal data to countries outside of the EU. Over 50 delegates from more than 30 IFRRO member organisations met remotely to learn more about the judgment and what they can do to address the challenges it has raised for RROs.
The judgment invalidated the EU-US “Privacy Shield” as US laws do not offer a level of protection that is "substantially equivalent" to EU laws, so transfers based on the Privacy Shield are now unlawful. Catherine Starkie (IFRRO), who chaired the webinar, explained that the Schrems II case is important as it potentially impacts many IFRRO members: all European members sending data outside of the European Economic Area (EU Member States, plus Iceland, Liechtenstein and Norway) as well as non-European members dealing with personal data of EEA individuals / residents. The key issue is whether data is transferred outside the EEA to non-EEA countries.
IFRRO invited legal experts from the law firm Osborne Clarke to explain the case and its implications to IFRRO members, which they did from both the EU and US perspective. While transfers to the US / other non-EEA countries may still be possible and legitimate, it is essential to balance the risk. The webinar explored how to approach risk assessment and looked at additional safeguards to maintain the lawfulness of the data transfers. The advantages and disadvantages of different transfer instruments, such as EU Standard Contractual Clauses, were also discussed.
IFRRO continues to monitor developments and keep members updated, and is now looking to adapt the IFRRO Sample Bilateral Agreement /Toolkit (see here) in light of the ruling. Members can find out further details about the webinar on the Members Only part of IFRRO’s website.