skip to main content

On July 16, 2020, the Court of Justice of the European Union (CJEU) published its ruling on Data Protection Commissioner v. Facebook Ireland Ltd., Schrems (Schrems II), striking down the EU-U.S. Privacy Shield as a valid mechanism for transferring EU personal data under the General Data Protection Regulation (GDPR).

Citing concerns with what it characterized as unaccountable U.S. government surveillance, the CJEU struck down the European Commission’s previous adequacy decision for EU-U.S. Privacy Shield as a valid mechanism for international data transfers. The court’s analysis rested on the finding that US surveillance programs are not proportional to their intended purpose and do not ensure an equivalent level of protection as guaranteed to EU data subjects. The court also found that EU data subjects lack actionable redress against government surveillance in the U.S., undermining the right to an effective remedy as required for international data transfers under the GDPR and EU law.

And, while the CJEU did confirm the validity of the Standard Contractual Clauses (SCCs) for the transfer of personal data outside of the EU, this confirmation came with additional obligations and uncertainties. The CJEU held that organizations choosing to rely on the SCCs may only do so if their application will ensure an “adequate level of protection” for the personal data of EU data subjects. Given the extensive criticism in Schrems II of U.S. government practices, this leaves open the question of whether the SCCs may be relied on for transfers to the U.S.  Where the SCCs fall short, companies may need to implement additional safeguards or suspend transfers.

Many organizations may decide to default to the SCCs regardless, taking a wait-and-see approach with EU regulators. Damages, however, can prove to be very costly. Companies previously relying on EU-U.S. Privacy Shield should now look for alternative transfer mechanisms under the GDPR for transfers to the US, and evaluate their privacy and security practices to ensure and document that they provide an “adequate level of protection.” A copy of the CJEU decision can be found here.

This article is informational only. The information provided on this website does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational purposes only. Information on this website may not constitute the most up-to-date legal or other information. Readers of this website should contact their attorney to obtain advice with respect to any particular legal matter. No reader, user, or browser of this site should act or refrain from acting based on information on this site without first seeking legal advice from counsel in the relevant jurisdiction. Only your individual attorney can provide assurances that the information contained herein—and your interpretation of it—is applicable or appropriate to your particular situation. All liability with respect to actions taken or not taken based on the contents of this site are hereby expressly disclaimed. The content on this posting is provided “as is;” no representations are made that the content is error-free.