In an important judgement issued today (Schrems II), Europe’s highest court (the CJEU) has issued a decision which invalidates the EU-US Privacy Shield, but which upholds the validity of Standard Contractual Clauses.

Privacy Shield

Since coming into force in 2016, many firms have relied on Privacy Shield for the transfer of personal data from the EU to self-certifying companies which are based in the USA. This was viewed as an important mechanism for international data transfers.

However, the CJEU has now struck down Privacy Shield due to concerns about US surveillance programmes and a failure to provide individuals with sufficient judicial protection and actionable rights before the courts against US authorities.

Any firms which currently rely solely on the Privacy Shield for EU to US data transfers will now be required to put in place alternative arrangements. In particular, many such firms will now be required to consider putting in place Standard Contractual Clauses.

Standard Contractual Clauses

As part of the Schrems II judgement, the CJEU has upheld the validity of Standard Contractual Clauses. These are template clauses which have been issued by the European Commission in order to enable the transfer of personal data to countries outside the EU.

The Standard Contractual Clauses are the most commonly used mechanism for international data transfers in compliance with the GDPR. As such, most businesses will welcome this ruling which confirms that these clauses will continue to be valid.

However, the CJEU has emphasised that, in certain circumstances, data protection regulators in EU Member States will be required to suspend or prohibit data transfers which are based on the Standard Contractual Clauses – for example, this could occur if a regulator takes the view that the Standard Contractual Clauses are not or cannot be complied with in a non-EU country.

As a firm, we have data privacy / GDPR specialists with extensive experience of advising on, and putting in place, Standard Contractual Clauses for international data transfers (as well as other means of lawful transfer).

If you have been relying on Privacy Shield for data transfers to the USA, we can assist you with putting in place Standard Contractual Clauses or alternative safeguards in order to ensure that your data transfers from the EU to the USA remain lawful in accordance with the GDPR.