Publications
IT Law
Share

Decision in Case C-311/18 – Schrems II – transfer of personal data to the USA
Josef Aujezdský
Partner
2022/08/21
4 minutes to read

On 16/07/2020, the Court of Justice of the European Union issued the above-mentioned judgment, which, with immediate effect, declared invalid the Commission’s decision regarding the EU-US Privacy Shield. This judgment subsequently received considerable attention from mainstream media. For this reason, we consider it appropriate to provide at least a brief summary for APEK members of what this judgment actually means. A number of Czech traders use services of American companies when processing personal data, which relied on the existence of this shield (for example, The Rocket Science Group LLC d/b/a MailChimp or SendGrid, Inc.).

The Regulation referred to as GDPR operates on the principle of free movement of personal data within the European Union. On the other hand, the transfer of personal data outside the European Union is prohibited in principle, and such transfer of personal data may only take place in cases expressly permitted by the GDPR.

One of the expressly permitted variants is also the transfer of personal data outside the EU on the basis of an “adequacy decision”. Specifically, Article 45(1) of the GDPR provides that “a transfer of personal data to a third country … may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation.” Such a decision was adopted by the Commission in relation to the United States of America in 2016 (before the GDPR came into effect). As outlined above, the Court annulled this Commission decision by the above-mentioned judgment, stating, inter alia, that American legislation does not provide an adequate level of protection of personal data, including sufficient protection of the rights of data subjects (also with regard to the federal government’s surveillance programmes). Following the issuance of the judgment in question, traders who used American companies as their processors when processing personal data can therefore no longer transfer personal data to the USA on the basis of an “adequacy decision”.

The transfer of personal data to countries outside the EU may also take place on other grounds (than an “adequacy decision”). However, each of them has its weaknesses in practice. Whilst the Court expressly confirmed the possibility of transferring personal data on the basis of standard contractual clauses prepared by the Commission, the CJEU simultaneously stated that it must be ensured that “the rights of persons whose personal data are transferred to a third country on the basis of standard data protection clauses are subject to a level of protection essentially equivalent to that guaranteed within the European Union by that Regulation read in conjunction with the Charter of Fundamental Rights of the European Union.” However, as we have already learnt from the Court above, American legislation does not provide an adequate level of protection of personal data (which will logically also apply to a number of other countries outside the EU).

Large multinational corporations in particular may use the possibility of transferring personal data on the basis of binding corporate rules (Article 47 GDPR); however, these rules must be approved by the supervisory authority. The transfer of personal data outside the territory of the European Union may also take place in so-called specific situations (Article 49 GDPR). One such envisaged situation is the transfer of personal data where “the data subject has been informed of the possible risks … for him or her and has subsequently given his or her explicit consent to the proposed transfer.” However, from a practical perspective, this provision will not be particularly popular, and moreover the European Data Protection Board has repeatedly expressed itself to the effect that a transfer based on this ground cannot be a proper basis for systematic processing of personal data and must furthermore be understood as genuinely exceptional.

In view of the above, we would therefore recommend that traders first ascertain what services from the USA they use and whether they also use them for the processing of personal data (the American company is a processor of personal data for the trader as controller). If the answer to this question is affirmative, it is also appropriate to ascertain whether the use of such a service involves the transfer of personal data to the USA (whether the provider does not have a special variant for the EU). If so, it is appropriate to also consider the question of on what basis such transfer of personal data actually takes place. In the event that this was on the basis of the EU-US Privacy Shield, it is certainly appropriate to pay increased attention to such processing of personal data.

 

Josef Aujezdský

This text was originally prepared by the law firm Mašek, Kočí, Aujezdský in cooperation with the Association for Electronic Commerce (APEK) as legal circular No. 7/2020 intended for members of this association.

This text was translated from Czech to English using an AI translator.

Enter

More to read

IT Law

Digital Services Act – Obligations in Storing User Content

2025/10/08

>
IT Law

Digital Services Act – Certain Obligations of Platforms towards Online Traders

2025/08/24

>

Mašek, Kočí, Aujezdský are members of Czech Electronic Commerce Association (APEK) and Mackrell International.
Nosko & Partners s.r.o. is Czech and Slovak member of Interlegal.

© Mašek, Kočí, Aujezdský 2003-2026. All rights reserved.