On July 16, 2020, the Court of Justice of the European Union (CJEU) published its ruling on Data Protection Commissioner v. Facebook Ireland Ltd., Schrems (Schrems II), striking down EU-U.S. Privacy Shield as a valid mechanism for transferring EU personal data under the General Data Protection Regulation (GDPR).

Citing concerns with what it characterized as unaccountable U.S. government surveillance, the CJEU struck down the European Commission’s previous adequacy decision for EU-U.S. Privacy Shield as a valid mechanism for international data transfers. The court’s analysis rested on the finding that US surveillance programs are not proportional to their intended purpose and do not ensure an equivalent level of protection as guaranteed to EU data subjects. The court also found that EU data subjects lack actionable redress against government surveillance in the U.S., undermining the right to an effective remedy as required for international data transfers under the GDPR and EU law.

And, while the CJEU did confirm the validity of the Standard Contractual Clauses (SCCs) for the transfer of personal data outside of the EU, this confirmation came with additional obligations and uncertainties. The CJEU held that organizations choosing to rely on the SSCs may only do so if their application will ensure an “adequate level of protection” for the personal data of EU data subjects. Given the extensive criticism in Schrems II of U.S. government practices, this leaves open the question of whether the SSCs may be relied on for transfers to the U.S.  Where the SCCs fall short, companies may need to implement additional safeguards or suspend transfers.

Many organizations may decide to default to the SSCs regardless, taking a wait and see approach with EU regulators. Damages, however, can prove to be very costly. Companies previously relying on EU-U.S. Privacy Shield should now look for alternative transfer mechanisms under the GDPR for transfers to the US, and evaluate their privacy and security practices to ensure and document that they provide an “adequate level of protection.” A copy of the CJEU decision can be found here.

Authors: Jacob Scarr and Mishal Ayaz

Readers of this article should contact an attorney to obtain advice with respect to any particular legal matter.  No reader, user, or browser of this site should act or refrain from acting on the basis of information on this site without first seeking legal advice from counsel in the relevant jurisdiction.  Only your individual attorney can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation.  Use of, and access to, this website or any of the links or resources contained within the site do not create an attorney-client relationship between the reader, user, or browser and website authors, contributors, contributing law firms, or committee members and their respective employers.