[co-authors: Giulia Rivarola di Roccella, Martina Acquaro]
Following the decision of the European Court of Justice of the European Union ('ECJ') in case C-311/18, better known as 'Schrems II', on 16 July, concerning the invalidity of the Privacy Shield and the revision of the mechanisms for transferring personal data outside the European Economic Area ('EEA'), big tech companies and all companies with business relations in the United States were forced to review their policies on cross-border data management.
The Court of Justice of the European Union considered that the US shield could no longer meet the principles underlying the Regulation, violating some of the fundamental principles of data protection.
The judgment clarified that the authoritative powers granted to the American public authorities and the power of monitoring and control should still be considered excessive and not proportionate with the aims pursued, and therefore contrary to the principle of proportionality set out in Art. 5 GDPR. According to European judges, the mediation mechanism referred to in the legislation - the so-called "Ombudsperson" - was not able to offer effective and equivalent protection of the rights of the data subjects, in comparison with the provisions contained in the Regulation.
Besides declaring the invalidity of the Privacy Shield, the CJEU decision also affected the data transfer mechanisms based on the so-called "Standard Contractual Clauses" - SCCs - referred to in Article 46 of the Regulation.
While acknowledging the validity of the institution, the Court specified that each data controller is responsible for verifying, on a case-by-case basis, the individual cross-border flows, whose security measures shall be assessed on the basis of the characteristics of the processing and the purposes of the transfer.
As a consequence of the CJEU decision on the invalidity of the Privacy Shield, the European Data Protection Committee - EDPB - drew up a document with the most frequently asked questions on the transfer of personal data in order to support companies in managing relations with their overseas suppliers and customers.
The European Data Protection Supervisor - EDPS - has also published a strategic document to ensure transparent and compliant management of international data transfers in relation to European legislation. In the document, the authority provides an action plan to streamline compliance and enforcement measures, distinguishing between actions that can be implemented in the short term and activities to be implemented in the medium/long term.
Three months ago, in September, Datenschutz Konferenz, the independent data protection supervisory authority of the German federal and state governments, concluded an investigation into the adequacy of Office 365's systems in relation to current European data protection provisions.
The inspection activity - which lasted several months - revealed that Microsoft does not comply with the regulatory requirements set out in Art. 28 of the Regulation. In the report, the German authority pointed out several shortcomings with regard to the legal bases adopted for certain processing operations and the security measures adopted to reduce the risks of data breach.
In response to the judgment C-311/18 Schrems II, the individual supervisory authorities of the federal states, including Baden-Württemberg, Bavaria and Hessen, expressed concern about the data transfer activities carried out by Office 365 and demanded an immediate action by the company in order to use the system in compliance with data protection regulations.
Further analysis is available in Italian: La gestione gel flusso trasfrontaliero dei dati dopo la sentenza Schrems II
