A Study on Schrems II Judgement of the European Court of Justice on International Data Flows―With a Focus on Its Effects on the Data Free Flow with Trust Initiative

         
Author Name WATANABE Shota (Nomura Research Institute, Ltd.)
Creation Date/NO. July 2021 21-J-035
Research Project Comprehensive Research on the Current International Trade/Investment System (pt.V)
Download / Links

Abstract

The judgement of Schrems II of the European Court of Justice (CJEU) dealt with compatibility of the Privacy Shield agreement (PS) and Standard Contractual Clauses (SCC) with EU legal system. As such, it may have a significant impact on Japanese policies on international data flows.

In the Schrems I judgement, CJEU decided that US surveillance activities were incompatible with the European framework and declared the safe harbor agreement, the previous agreement governing the PS, invalid. US and EU governments set up PS to strengthen legal data protection against US surveillance. This most recent Schrems II judgement determined that the updated US system is still insufficient to meet the standards of the EU. This is the first case where CJEU analyzed the level of data protection of a foreign country and confirmed that standards of review under the Data Protection Directive, formed in the Schrems I judgement, are still applicable under the General Data Protection Regulation (GDPR), the successor of the Directive.

This judgement revealed that Data Protection Authorities can order the suspension of international data transfers during their handling of complaints, even when an adequacy decision exists. It also determined that SCCs remain valid, however this is conditional upon additional safeguards based on the risks that exist in import countries, including surveillance risks.

This article analyzed the similarity of the Schrems II judgement with the Data Free Flow with Trust (DFFT) initiative of the Japanese government, in addition to the accuracy of US criticism that the judgement is discriminatory against US surveillance when compared to EU members due to the fact that surveillance is excluded from protection under GDPR.