Transfer of Personal Data to Third Countries and the “Equivalent Level” of Protection According to the European Court of Justice

Abstract

Abstract The focus of this study is the transfer of personal data to third countries or international organizations according to EU Regulation No. 679/2016 (GDPR) on the protection of personal data. The primary goal of this Regulation concerning data transfer to third countries is to ensure that the subject’s rights and freedoms are safeguarded at the same level as provided by GDPR. According to GDPR, before any transfer to a third country or international organization, it must first be ascertained whether the European Commission has established that a third country ensures an adequate level of protection. Regarding personal data protection in the third state, the Court of Justice of the European Union has intervened on different occasions. In the last decision, in 2020, the Court declared invalid the European Commission’s Decision No. 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield (CJEU, Schrems II, 2020, July 16) because it does not provide effective and enforceable rights for personal data subjects in cases of interference. According to the Court of Justice of the European Union, the US does not guarantee an “essentially equivalent” level of protection to that provided by the European Union under Article 45(1) GDPR, read in conjunction with Articles 7, 8, and 47 of the European Union’s Charter of Fundamental Rights, which guarantee respect for private and family life, personal data protection, and the right to effective judicial protection.