Schrems II Update: Privacy Shield Strikes Out



On July 17th, the Court of Justice of the European Union (CJEU) released its ruling that Privacy Shield is no longer an adequate method to transfer personal data from the European Economic Area (EEA) to the US.

With over 5,000 organizations holding the self-certification through the US Department of Commerce, in addition to the organizations transferring personal data to these organizations, this ruling will likely have an impact on all organizations transferring personal data from the EEA to the US. Alas, all is not lost, as there are other transfer mechanisms available, including standard contractual clauses (SCCs), GDPR derogations, and binding corporate rules (BCRs).

BCRs are safe for now. However, organizations relying on SCCs need to ensure the third country where they are transferring the personal data does not have conflicting laws to the SCCs. Organizations within countries that have laws that allow public authorities to access those organizations’ personal data will be unable to implement SCCs based on this ruling. 

Organizations in the US subject to FISA 702 were provided as an example by Max Schrems as organizations that will be unable to rely on SCCs to transfer personal data, as FISA 702 contradicts the privacy rights provided to Europeans. FISA 702 is a provision of the FISA Amendments Act of 2008, which allows the US government to conduct targeted surveillance of foreign persons located outside the US with the assistance of electronic communication service providers to obtain foreign intelligence information.

If your organization is relying on Privacy Shield, we recommend you continue to adhere to the program’s obligations, as the FTC can still enforce it. Outside of continuing to comply with Privacy Shield, organizations should:

  • Review personal data transfers and document any relying upon Privacy Shield
  • Review the derogations and guidance surrounding the use of these
  • Compile personal data transfers relying upon SCCs
  • Determine any conflicts with third-country laws to ensure SCCs can continue to be relied upon
  • Keep an eye out for guidance from the DPAs in Europe
  • Monitor US and European Commission talks and next steps regarding adequacy

Written by:


CompliancePoint on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.