The Court of Justice of the European Union (CJEU), the EU's highest court, declared on July 16, 2020, that the EU-U.S. Privacy Shield framework for the transfer of personal data from the EU into the United States is invalid. This ruling, issued in Data Protection Commissioner v. Facebook Ireland, Ltd., Maximillian Schrems, Case C-311/18 (E.C.J. July 16, 2020) (known more broadly as the Schrems II case), was one of the most highly anticipated court rulings of the year and will impact thousands of companies utilizing Privacy Shield as the base for international data transfers. The CJEU ruling focused largely on Schrems’s complaint that U.S. surveillance laws do not offer adequate protection for personal data otherwise protected by EU laws, specifically Facebook’s practice of sharing personal data with the U.S. National Security Agency. The U.S. Department of Commerce, which administers Privacy Shield, issued a statement expressing its disappointment with the ruling and indicated that the Department would continue to administer the program, stating that the CJEU’s decision will not relieve participating organizations of their Privacy Shield obligations.

The CJEU also issued a determination in this matter upholding the validity of Standard Contractual Clauses (the SCCs, also known commonly as the Model Clauses) but ruled that businesses must verify whether the conditions of the transfer offer sufficient protections to personal data, as required by the General Data Protection Regulation. This includes verification that the destination country for the personal data maintains sufficient protective measures, specifically with regard to access by public authorities and judicial redress.

The ambiguities in the ruling draw into question whether SCCs may continue to be used as the basis for compliant transfer of personal data from the EU into the United States, given current U.S. laws permitting access by U.S. intelligence services to personal data transferred into this country. Data controllers will be required to address additional safeguards and protective measures on a case-by-case basis, depending on the laws of the destination country. Still, in light of the invalidation of Privacy Shield, and pending further clarification from EU regulators, SCCs appear to be the most viable option for companies at this time.

Practical considerations for data controllers include the following:

1. Review current data flows (internal and external) to confirm whether Privacy Shield or SCCs (or other mechanisms) are implicated.
2. Take immediate action to substitute alternative transfer mechanisms in lieu of Privacy Shield.
3. Where SCCs are or will be implemented, review the nature and scope of the personal data subject to transfer, along with the laws of the destination country and other factors, to assess the adequacy of the safeguards protecting the personal data, including the transfer process and subsequent use and retention of the personal data.

The CJEU decision did not include any grace period for businesses to migrate from Privacy Shield or review existing SCCs for sufficient protective measures. As such, businesses should make a review of its current data practices a high priority.

Opinions and conclusions in this post are solely those of the author unless otherwise indicated. The information contained in this blog is general in nature and is not offered and cannot be considered as legal advice for any particular situation. Any federal tax advice provided in this communication is not intended or written by the author to be used, and cannot be used by the recipient, for the purpose of avoiding penalties which may be imposed on the recipient by the IRS. Please contact the author if you would like to receive written advice in a format that complies with IRS rules and may be relied upon to avoid penalties.