In an important judgement issued today (Schrems II), Europe’s highest court (the CJEU) has issued a decision which invalidates the EU-US Privacy Shield, but which upholds the validity of Standard Contractual Clauses.
Privacy Shield
Since coming into force in 2016, many firms have relied on Privacy Shield for the transfer of personal data from the EU to self-certifying companies which are based in the USA. This was viewed as an important mechanism for international data transfers.
However, the CJEU has now struck down Privacy Shield due to concerns about US surveillance programmes and a failure to provide individuals with sufficient judicial protection and actionable rights before the courts against US authorities.
Any firms which currently rely solely on the Privacy Shield for EU to US data transfers will now be required to put in place alternative arrangements. In particular, many such firms will now be required to consider putting in place Standard Contractual Clauses.
Standard Contractual Clauses
As part of the Schrems II judgement, the CJEU has upheld the validity of Standard Contractual Clauses. These are template clauses which have been issued by the European Commission in order to enable the transfer of personal data to countries outside the EU.
The Standard Contractual Clauses are the most commonly used mechanism for international data transfers in compliance with the GDPR. As such, most businesses will welcome this ruling which confirms that these clauses will continue to be valid.
However, the CJEU has emphasised that, in certain circumstances, data protection regulators in EU Member States will be required to suspend or prohibit data transfers which are based on the Standard Contractual Clauses – for example, this could occur if a regulator takes the view that the Standard Contractual Clauses are not or cannot be complied with in a non-EU country.
As a firm, we have data privacy / GDPR specialists with extensive experience of advising on, and putting in place, Standard Contractual Clauses for international data transfers (as well as other means of lawful transfer).
If you have been relying on Privacy Shield for data transfers to the USA, we can assist you with putting in place Standard Contractual Clauses or alternative safeguards in order to ensure that your data transfers from the EU to the USA remain lawful in accordance with the GDPR.
David Goodbrand
Partner
Commercial Contracts
David specialises in advising clients on outsourcing arrangements, IP licensing, complex commercial contracts, fintech and the use of information.
Related News, Insights & Events
Error.
No results.
How smart is your home?
30/09/2025
Here, we explore the future of smart-enabled living – the adoption of which is helped by the new-build market.
Appeal deadlines in arbitration – Court of Appeal provides guidance on when an award is “rendered”
15/09/2025
Clear language is essential when drafting an arbitration agreement – ambiguous wording can lead to unforeseen consequences.
Salesforce Drift compromise highlights cyber risks to supply chains
01/09/2025
Salesforce, and Salesloft, recently announced that they are responding to a cyber security incident.
{name}
{properties.pageSummary}
{properties.headline}
{properties.pageDate|date:dd/MM/yyyy}
{properties.shortDescription}
