Tech & Sourcing @ Morgan Lewis


A recent Court of Justice of the European Union (CJEU) ruling—Schrems II—could lead to significant changes for companies that rely on the EU-US Privacy Shield for transferring personal data from the European Economic Area (EEA) to the United States, including increased due diligence on the part of data exporters.

In 2015 the CJEU ruled in the Schrems I decision that the EU Safe Harbor framework for transferring personal data between the European Union and United States was invalid. In response, the European Union and United States instituted the so-called Privacy Shield as the mechanism to replace the Safe Harbor framework, which allowed companies to self-certify compliance with privacy principles when transferring data from the EEA to the United States. US companies have relied on the Privacy Shield as well as the European Commission standard contractual clauses (SCCs).

In Schrems II, the CJEA addressed the adequacy of the Privacy Shield and SCCs.

The CJEA held that the Privacy Shield is not a valid transfer mechanism. The CJEA considered that the requirements of US domestic law, and in particular certain programs enabling access by the US government to personal data for US national security purposes, result in insufficient protection of EU personal data and do not allow for actionable rights before the US courts by individuals.

On the other hand, the CJEA upheld the use of the SCCs as a proper mechanism to transfer personal data outside of the EEA. Importantly, however, the CJEA stated that companies cannot simply rely on the SCCs and that there is an underlying obligation to do some level of due diligence prior to any transfer of data. The CJEA explained:

[I]t is therefore, above all, for that controller or processor to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses.

What can we take away from this ruling? First, if a company has relied on the Privacy Shield in relation to its transfer of data, it must develop a new framework immediately. Note, there is no grace period for companies that transfer under the Privacy Shield; as such, companies cannot continue to transfer data under the Privacy Shield.

Second, if a company has used SCCs as a framework to transfer data, they must begin developing a due diligence process to determine if there is adequate protection of privacy of personal data. Whether a company can transfer personal data under the SCC mechanism will depend on the result of the case-by-case due diligence, taking into account the circumstances surrounding the transfers, as well as any additional protective procedures that are established to ensure that a level of protection essentially equivalent to that arising from the EU General Data Protection Regulation exists.