Evaluating the legal admissibility of data transfers from the EU to the USA

Alessandra Silveira (Editor) and João Marques (Lawyer, former member of Portuguese Data Protection Supervisory Authority)

1. The feud between Maximillian Schrems and the Irish Data Protection Supervisory Authority (Data Protection Commission – DPC), with Facebook always lingering in, has been detrimental to frame the legality of data flows from the European Union (EU) to the United States of America (USA), but also to any third country that replicates the shortcomings relating to the inexistence of a “level of protection essentially equivalent to that guaranteed within the European Union (…), read in the light of the Charter of Fundamental Rights of the European Union” [in the words of the Court of Justice of the European Union (CJEU)].[1]

2. The sole action of one man has brought down two different and sequential “transfer tools”, created in tandem by both the European Commission (EC) and the United States’ Government. In case C-362/14 the CJEU declared the Safe Harbour decision (Commission Decision 2000/520/EC of 26 July 2000) invalid, as the Court found that the USA’s legislation did not offer an essentially equivalent level of protection to that of the EU, also reminding all Data Protection Supervisory Authorities that their work is never done and that it is, in fact, upon their shoulders the task and the responsibility to constantly monitor if any given third country complies and remains compliant with the need to offer such an equivalency.

Continue reading “Evaluating the legal admissibility of data transfers from the EU to the USA”

The Schrems II Judgment: First two investigations by the European Data Protection Supervisor

by Joana Campos e Matos (Senior Consultant at Vieira de Almeida & Associados)

On May 27, 2021, the European Data Protection Supervisor (“EDPS”) announced that it has opened two investigations regarding the use of Amazon and Microsoft services by European Union institutions (EUIs)[1].

In a press release, the EDPS announced the opening of two investigations, one concerning the use of cloud services provided by Amazon Web Services and Microsoft under Cloud II contracts by European Union institutions, bodies and agencies and the other regarding the use of Microsoft Office 365 by the European Commission.

The EDPS underlined that these investigations are part of the EDPS’ strategy for EU institutions to comply with the “Schrems II” Judgement[2].

1. Legal framework for international data transfers by EUIs

According to the Regulation (EU) 2018/1725 [3], international data transfers[4] are only permitted if the third country to which the data are transferred, ensures that the conditions set out in the Regulation are respected, in such a way that the level of protection of natural persons guaranteed by the Regulation is not undermined (Article 46). Thus, data transfers to countries located outside the European Economic Area (“EEA”) can only occur within the strict terms provided for by the Regulation.

Continue reading “The Schrems II Judgment: First two investigations by the European Data Protection Supervisor”