In an important judgement issued today (Schrems II), Europe’s highest court (the CJEU) has issued a decision which invalidates the EU-US Privacy Shield, but which upholds the validity of Standard Contractual Clauses.
Privacy Shield
Since coming into force in 2016, many firms have relied on Privacy Shield for the transfer of personal data from the EU to self-certifying companies which are based in the USA. This was viewed as an important mechanism for international data transfers.
However, the CJEU has now struck down Privacy Shield due to concerns about US surveillance programmes and a failure to provide individuals with sufficient judicial protection and actionable rights before the courts against US authorities.
Any firms which currently rely solely on the Privacy Shield for EU to US data transfers will now be required to put in place alternative arrangements. In particular, many such firms will now be required to consider putting in place Standard Contractual Clauses.
Standard Contractual Clauses
As part of the Schrems II judgement, the CJEU has upheld the validity of Standard Contractual Clauses. These are template clauses which have been issued by the European Commission in order to enable the transfer of personal data to countries outside the EU.
The Standard Contractual Clauses are the most commonly used mechanism for international data transfers in compliance with the GDPR. As such, most businesses will welcome this ruling which confirms that these clauses will continue to be valid.
However, the CJEU has emphasised that, in certain circumstances, data protection regulators in EU Member States will be required to suspend or prohibit data transfers which are based on the Standard Contractual Clauses – for example, this could occur if a regulator takes the view that the Standard Contractual Clauses are not or cannot be complied with in a non-EU country.
As a firm, we have data privacy / GDPR specialists with extensive experience of advising on, and putting in place, Standard Contractual Clauses for international data transfers (as well as other means of lawful transfer).
If you have been relying on Privacy Shield for data transfers to the USA, we can assist you with putting in place Standard Contractual Clauses or alternative safeguards in order to ensure that your data transfers from the EU to the USA remain lawful in accordance with the GDPR.
David Goodbrand
Partner
Commercial Contracts
David specialises in advising clients on outsourcing arrangements, IP licensing, complex commercial contracts, fintech and the use of information.
Related News, Insights & Events
Tech & IP Conference 2025: Evolution or Revolution?
07/05/2025 - Everyman Cinema, St James Quarter, Edinburgh
Our annual Tech & IP Conference will explore how businesses can take advantage of change to evolve, build resilience, and leverage competitive advantage through powerful technologies and innovation.
Cyber Crime in the Trust Economy: Navigating an evolving threat landscape
Read our latest Trust Economy paper here.
Risk in commercial shipping – The Supreme Court clarifies the scope of Hague Visby Rules for claims for misdelivery of cargo
A Supreme Court decision has shed light on the scope of protection for carriers under a key international convention, highlighting the need for thorough risk assessment in the contracting process.
