January 28, 2023

Volume XIII, Number 28


January 27, 2023

Subscribe to Latest Legal News and Analysis

January 26, 2023

Subscribe to Latest Legal News and Analysis

January 25, 2023

Subscribe to Latest Legal News and Analysis

Privacy Shield Shattered: Standard Contractual Clauses Survive Glancing Blow

Key Points

  • The Court of Justice of the European Union (CJEU) struck down the EU-U.S. Privacy Shield (Privacy Shield) as a mechanism for transferring EU personal data to the United States;

  • Standard Contractual Clauses (SCCs) remain a valid method to transfer personal data to processors established outside of the EU in most cases; and

  • Organizations that previously relied on Privacy Shield must examine alternatives for lawful personal data transfers, such as SCCs or Binding Corporate Rules (BCRs).

On July 16, the European Union’s top court, the Court of Justice of the European Union (CJEU) released its highly anticipated decision in the so-called Schrems II case,1 which saw the EU-U.S. Privacy Shield (Privacy Shield) invalidated based on its failure to adequately address US government surveillance activities. As a result, companies that process personal data of EU persons in the United States are immediately faced with a new set of challenges for complying with the international personal data transfer requirements of the GDPR.

The European Union and the United States implemented the Privacy Shield framework in July 2016, after the CJEU scrapped the prior mechanism, the U.S.-EU Safe Harbor (Safe Harbor), in the 2015 Schrems I decision,2 also because of surveillance concerns. Compared to Safe Harbor, Privacy Shield imposed stricter and more comprehensive data protection obligations on US organizations that handle personal data of EU persons. Since then, more than 5,000 companies have enrolled in Privacy Shield, which has been monitored and enforced by the U.S. Department of Commerce and the Federal Trade Commission.

While the CJEU upheld the use of Standard Contractual Clauses (SCCs), adopted and published by the European Commission or by a member state Supervisory Authority (SA), it emphasized that the contracting parties have an obligation to ensure that the laws in the recipient country are sufficient to protect EU personal data and cautioned that SAs are “required to suspend or prohibit the transfer of personal data to a third country,” where the guarantees of the SCCs are not upheld.3 The CJEU also noted that parties are encouraged to include additional safeguards beyond the SCCs themselves via supplemental contractual commitment.

In the absence of Privacy Shield as a permitted mechanism for trans-Atlantic personal data transfers, there are important considerations for companies that transfer personal data to the US to ensure that they are continuing to process personal data of EU persons lawfully:

  • Review the company’s and its affiliates’ personal data processing activities that involve international personal data transfers and identify which, if any, involve personal data transfers from the EU to the US;

  • If any of these personal data transfers — whether between affiliates or third party service providers — have relied on Privacy Shield certification, put in place a new adequate personal data transfer mechanism: (1) SCCs, but noting that based on the CJEU decision that additional diligence, considerations and provisions may be advisable; or (2) with respect to internal corporate and affiliate transfers, Binding Corporate Rules (BCRs), which allow multinational companies to transfer personal data to other entities abroad within the same enterprise under the supervision of a SA that must approve their global privacy policies and procedures; and

  • If SCCs or BCRs are not practical, determine whether it is feasible to obtain the consent of the personal data owners for the cross-border transfer.

Schrems II serves as an important reminder to assess (or re-assess) whether your privacy program has adequate safeguards in place to protect personal data of EU persons, which must be afforded “a level of protection essentially equivalent to that guaranteed within the EU by the GDPR.”4

Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems, case number C-311/18, in the Court of Justice of the European Union (July 16, 2020).

2  Maximillian Schrems v. Data Protection Commissioner, case number C-362/14, in the Court of Justice of the European Union (Oct. 6, 2015).

3  Id. at 14.

4  Id. at 21.

©2023 Katten Muchin Rosenman LLPNational Law Review, Volume X, Number 206

About this Author

Doron Goldstein, Katten Muchin Law Firm, Intellectual Property Attorney

Doron S. Goldstein's practice primarily deals with intellectual property, information technology and advertising, marketing and branded entertainment transactions and counseling, including privacy and information security, trademark, copyright, software and technology matters, and he is co-head of Katten's Advertising, Marketing and Promotions practice and of the firm's Privacy, Data and Cybersecurity group.

Doron regularly advises on various aspects of integrated marketing campaigns, including talent and production agreements, advertising agency...

Christopher Hitchins, Katten Muchin London UK, investment documentation attorney, labor disputes management lawyer

Christopher Hitchins focuses his practice on the full range of employment law issues, acting for employers or senior individuals in a wide range of sectors, with a particular focus on the financial services, technology, hotel, retail and media industries.

Chris advises on all contentious and non-contentious UK employment law matters. He has significant experience advising on senior executive employment, partnership and investment documentation, managing disputes and exits as well as team moves, advising businesses on restructurings involving the...

44 (0) 20 7776 7663
Nathaniel Lalone, Katten Muchin Law Firm, Financial Institutions Attorney
Senior Associate

Nathaniel Lalone, a partner at Katten Muchin Rosenman UK LLP, has a broad range of experience in the regulation of financial products and financial markets, and frequently provides regulatory and compliance advice to trading venues, clearing houses and buy-side firms active in the over-the-counter (OTC) derivatives, futures and securities markets. He is actively involved in advising clients on the implementation of MiFID 2 and MiFIR in the European Union as well as the international reach of US financial services regulation. He also has significant experience with structuring...

+44 0 20 7776 7629
Jeremy Merkel Privacy, Data & Cybersecurity Attorney Katten Muchin Rosenman New York, NY

Jeremy Merkel counsels businesses and organizations across a range of industries on privacy and data security matters. Combining his knowledge of the cybersecurity landscape with his technical experience, Jeremy is a trusted advisor to companies during the critical moments of identifying and responding to data security incidents. From the moment a breach is identified, Jeremy leverages resources to understand the scope of an incident, assess the risk to data and sensitive information and mitigate legal exposure.

The legal framework of privacy and data security laws is constantly...

Sarah Simpson, Katten Law Firm, London, Intellectual Property Attorney

Sarah Simpson is an associate at Katten Muchin Rosenman UK LLP. Sarah practices commercial and intellectual property law, with a particular focus on EU and UK trademarks, brand protection, copyright, design rights, data protection, commercial contracts, regulatory and general commercial matters. She has experience of advising clients in the fashion, fashion-technology, luxury brands, retail, consumer goods, financial technology and education sectors. Sarah advises both local and international clients.