July 21, 2020

As we noted in our alert on 16 July 2020, the decision of the Court of Justice of the European Union (CJEU) in the case of Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (Schrems II)[1] has serious implications for the transfer of personal data from the European Economic Area (EEA) to the United States. It invalidated the decision of the European Commission that established the EU-US Privacy Shield (the Privacy Shield Decision)[2], meaning that companies in the EEA must find another way to transfer personal data to the United States in compliance with the General Data Protection Regulation (GDPR). While the CJEU invalidated the Privacy Shield Decision, on its face, it also expressly retained the validity of the Standard Contractual Clauses (SCCs) as a compliant transfer mechanism. Digging deeper into the rationale behind the Schrems II decision, however, leaves a very clouded future for the use of SCCs as a justification for transfer of personal data from the EEA to the United States. In particular, the basis upon which the Privacy Shield Decision was invalidated – that the US Government has significant access to personal data once it arrives in the United States with little redress for EU residents – would seem to apply equally to the SCCs when adopted by US-based companies. So, while the SCCs have survived for now, that survival may be short-lived; awaiting the next legal challenge. 

To read the full alert, please click here.