Abstract

EU laws assume a dichotomous division of countries in the world into EU (and EEA) Member States and third countries. The general principle for the transfer of data to third countries is to prevent infringement of the EU data protection level (guaranteed by the GDPR). The legal solutions worked out over the years (being of a universal rather than individual nature) should ensure data security in the changing legal, technological, social and political environment. Efforts taken up in this respect by EU bodies are therefore subject to continuous scrutiny and review as regards their effectiveness. Such a review took place e.g. in 2015 (the CJEU Schrems I judgment) and in 2020 (Schrems II case). In the latter case, the CJEU spoke not only as regards the Privacy Shield agreement between the EU and the US (the Shield was questioned and eliminated from legal transaction by the CJEU), but also with respect to Standard Contract Clauses (SCC). The clauses were retained in force but with a reservation that the entities that apply them should carry out a comprehensive evaluation of the personal data protection level in a third country. The CJEU Schrems II judgment changed the paradigm as regards the burden of evaluation of the personal data protection level in a third country. The CJEU also stated that it did not create a “legal gap” since Art. 49 GDPR “details the conditions under which such a transfer may take place in the absence of an adequacy decision or appropriate safeguards” (item 202 of the judgment). Surprising is the readiness of the CJEU to replace systemic solutions (such as the Privacy Shield or SCC) with the exceptions under Art. 49 GDPR, which are applicable in special situations and override the general principle of primacy of personal data security in a third country (Art. 44 GDPR).