GDPR Update: Top EU Court Strikes Down Validity of EU-US Privacy Shield Framework; Upholds Standard Contractual Clauses
Today, July 16, 2020, the EU’s top court, the Court of Justice of the European Union (CJEU), issued its highly anticipated decision in the Schrems II case. In doing so, CJEU has invalidated the EU-US Privacy Shield Framework and held that its prior decision regarding Standard Contractual Clauses (SCCs) remains valid. Following this decision, US businesses can no longer rely on the EU-US Privacy Shield Framework as a legal mechanism for transferring personal data from the European Economic Area (EEA) to the US. However, companies can still leverage the SCCs in certain instances. The decision highlighted the requirement for the data exporter to ensure adequate levels of protections are in fact in place prior to transfers.
This decision takes away from an already shorter list of available mechanisms for transfers between processors. Now processors who previously relied on the EU-US Privacy Shield Framework will need to quickly identify a new mechanism to support legal transfers to the US under the GDPR. The continued validity of the SCCs leaves a gap for processor-to-processor transfers because the currently available SCCs do not expressly cover those types of transfers.