July 17, 2020Published Article

European High Court Limits the Mechanisms Available to Transfer Personal Data from the EU to the U.S.

Citing concerns raised about the level of protection for personal data transferred from the European Union (EU) to the United States, on July 16, 2020, in the so-called Schrems II case (C-311/18), the Court of Justice of the European Union (CJEU) determined the EU-U.S. Privacy Shield Agreement (Privacy Shield) is inconsistent with requirements under the EU General Data Protection Regulation (GDPR) and thus invalid, removing one of the mechanisms available to lawfully transfer personal data from the EU to the U.S. under the GDPR. As the CJEU is the highest court in the EU, this ruling cannot be appealed or challenged.

The result in the Schrems II case is largely the same as the result in the CJEU’s decision in the Schrems I case (C-362/14) in 2015, where the CJEU declared Safe Harbor (the predecessor to Privacy Shield) was invalid based on the fact that U.S. legislation did not limit interference with an individual’s rights to what is strictly necessary. As happened to companies that utilized Safe Harbor prior to Schrems I, under the CJEU’s ruling in Schrems II, companies that transfer personal data to the U.S. from the EU must utilize one of the other mechanisms authorized under the GDPR. One of those mechanisms, the standard contractual clauses previously approved by the European Commission in Commission Decision 2010/87/EU in February 2010, was also challenged in Schrems II. However, unlike Privacy Shield, the CJEU affirmed that the standard contractual clauses are still valid and remain a viable option to lawfully transfer personal data. Companies may also utilize other mechanisms under the GDPR, such as binding corporate rules. The benefit of using standard contractual clauses over other mechanisms is that they can be utilized without obtaining prior approval from the appropriate EU regulator.

Beyond transitioning to standard contractual clauses or other lawful mechanism to transfer personal data, companies in the U.S. that utilized Privacy Shield will likely need to take additional actions, such as updating privacy policies, modifying data protection agreements and evaluating whether internal policies and procedures are consistent with the requirements in the standard contractual clauses. For additional information on the invalidation of the EU-U.S. Privacy Shield, as well as assistance putting alternative adequacy measures in place, please contact a member of our Privacy & Cybersecurity team.

back to top