In an important judgement issued today (Schrems II), Europe’s highest court (the CJEU) has issued a decision which invalidates the EU-US Privacy Shield, but which upholds the validity of Standard Contractual Clauses.

Privacy Shield

Since coming into force in 2016, many firms have relied on Privacy Shield for the transfer of personal data from the EU to self-certifying companies which are based in the USA. This was viewed as an important mechanism for international data transfers.

However, the CJEU has now struck down Privacy Shield due to concerns about US surveillance programmes and a failure to provide individuals with sufficient judicial protection and actionable rights before the courts against US authorities.

Any firms which currently rely solely on the Privacy Shield for EU to US data transfers will now be required to put in place alternative arrangements. In particular, many such firms will now be required to consider putting in place Standard Contractual Clauses.

Standard Contractual Clauses

As part of the Schrems II judgement, the CJEU has upheld the validity of Standard Contractual Clauses. These are template clauses which have been issued by the European Commission in order to enable the transfer of personal data to countries outside the EU.

The Standard Contractual Clauses are the most commonly used mechanism for international data transfers in compliance with the GDPR. As such, most businesses will welcome this ruling which confirms that these clauses will continue to be valid.

However, the CJEU has emphasised that, in certain circumstances, data protection regulators in EU Member States will be required to suspend or prohibit data transfers which are based on the Standard Contractual Clauses – for example, this could occur if a regulator takes the view that the Standard Contractual Clauses are not or cannot be complied with in a non-EU country.

As a firm, we have data privacy / GDPR specialists with extensive experience of advising on, and putting in place, Standard Contractual Clauses for international data transfers (as well as other means of lawful transfer).

If you have been relying on Privacy Shield for data transfers to the USA, we can assist you with putting in place Standard Contractual Clauses or alternative safeguards in order to ensure that your data transfers from the EU to the USA remain lawful in accordance with the GDPR.

David Goodbrand

David Goodbrand

Partner

Commercial Contracts


David specialises in advising clients on outsourcing arrangements, IP licensing, complex commercial contracts, fintech and the use of information.

Get in touch

Related News, Insights & Events

Error.

No results.

Smart Homes

How smart is your home?

30/09/2025

Here, we explore the future of smart-enabled living – the adoption of which is helped by the new-build market. 

Read more
Appeal Deadlines In Arbitration Court Of Appeal Provides Guidance On When An Award Is Rendered

Appeal deadlines in arbitration – Court of Appeal provides guidance on when an award is “rendered”

15/09/2025

Clear language is essential when drafting an arbitration agreement – ambiguous wording can lead to unforeseen consequences.

Read more
Salesforce Drift Compromise Highlights Supply Chain Risk

Salesforce Drift compromise highlights cyber risks to supply chains

01/09/2025

Salesforce, and Salesloft, recently announced that they are responding to a cyber security incident.

Read more

Want to hear more from us?

Subscribe here Subscribe here