tags: #publish links: [[Software and Tech]], [[Law]], [[EU Court of Justice (CJEU)]] created: 2020-10-14 Wed related: [[Schrems I]], --- # Schrems II GDPR-related case. [[EU Court of Justice (CJEU)]]: [[EU-US Privacy Shield]] doesn't hold up any more. But we still have [[Standard Contractual Clauses (SCC)]] ([[Schrems I]] already invalidated [[EU-US Safe Harbor]]) https://www.brookings.edu/research/the-court-of-justice-of-the-european-union-in-schrems-ii-the-impact-of-gdpr-on-data-flows-and-national-security/ The earlier CJEU decision in [[Schrems I]] found that the European Commission adequacy decisions with respect to the EU-U.S. Safe Harbor was invalid. > the issue was U.S. government access to personal data for national security purposes and the rights of EU citizens in the U.S. to judicial review and redress. In both cases the CJEU found that the U.S. fell short in that the U.S. was not according EU personal data the protection and rights of redress available in the EU. When it comes to access to data for national security purposes, under EU law, including GDPR, any limitation on EU rights to privacy must be “necessary and proportionate”.[5] At the same time, national security is the sole responsibility of member states.[6] In effect, each EU state is given the discretion to balance national security needs with data privacy rights. Yet, the EU is not according a similar discretion to third countries. In fact, GDPR uses the threat of withdrawing access to EU personal data as a tool to seek reform of other country’s security agencies to reflect the CJEU notion of proportionality, while exempting member state governments from similar expectations or threats. This effectively sets up the CJEU as the arbiter of whether other countries’ approaches to accessing data for national security purposes are proportional. i.e. this is partly an international political battle where the EU is attempting to force other countries to change their laws :D