The first decision of the EU Court of Justice (CJEU) ruled that Max can sue Facebook Ireland even in his own country, Austria.
On the 16th of July 2020, CJEU presented its decision on the case called Schrems II. With the new ruling, CJEU has shaken the Privacy Shield mechanism, mechanism that allows US companies to transfer and store EU personal data. Although the decision was directed to the US, this applies to all the other countries, following the Erga Omnes principle. Data exporters must ensure that the personal data has sufficient protection against government surveillance.
However, it did not abolish the Standard Contractual Clauses (SCCs), the method used so far to transfer data internationally, with the obligation for data controllers to assess the level of data protection and suspend or stop the transfer if there’s information of data being under surveillance.
As a reaction from the European DPAs (Data Protection Authorities), the German regulator (LfDI) releases an updated guidance based on the decision of the CJEU which argues that although international transfers under SCCs remain valid, they do not provide sufficient protection in most situations and it is the exporter’s obligation to ensure that data is assured by extra security measures such as encryption, anonymization and pseudonymization. If the data controller cannot provide sufficient protection even with extra measures, it must suspend/cancel the transfer.
There are still questions and uncertainties regarding these major changes in the data protection environment, but it is encouraging to see the reactions of the European Protection Authorities and the great effort made by the GDPR (General Data Protection Regulation) in trying to protect the privacy of individuals.
the CJEU’s decision on the 16th of July 2020: http://curia.europa.eu/juris/document/document.jsf?text=&docid=228677&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=9745404
the German updated guidance: https://privacytranslations.com/international_data_transfer