Europe's highest court strikes down the EU-US data transfer framework “Privacy Shield” and casts fresh doubt on the use of “Standard Contractual Clauses”: Where does this leave your data transfers?

For the second time in five years, an Austrian data privacy activist by the name of Max Schrems has successfully interfered with the flow of personal data between the EU and America.The decision just handed down by the Court of Justice of the European Union (“CJEU”) (Europe's highest court) in a case commonly referred to as “Schrems II” has significant repercussions for business on both sides of the Atlantic, but might also have implications for businesses which transfer EU personal data to the UK post-Brexit.The movement of personal data from the EU to an unrelated party in the US is strictly controlled by the General Data Protection Regulations (“GDPR”), affording limited options, including:

  • Privacy ShieldThis is a framework for legitimising transfers of personal data for commercial purposes between the EU and the US. Its main purpose is to enable US companies who participate in the Privacy Shield to receive personal data from EU entities under EU privacy laws.
  • Standard Contractual Clauses (or “SCCs”)These are EU Commission-approved model contractual clauses that businesses may use to legitimise transfers of personal data from the EU to “non-adequate” third countries (including the US).

The use of these mechanisms to transfer personal data is not limited to technology companies, or large multinational conglomerates. They legitimise data transfers at all levels and across many different sectors of the economy, from hotel booking systems to data centres.In his latest action against Facebook before the Irish court, Schrems argued that the Standard Contractual Clauses which Facebook used to transfer personal data back to California were invalid. His reason was that he had no proper legal redress if US authorities chose to access his personal data for surveillance purposes.The Irish court referred a number of questions to the CJEU, which considered the validity of not just the Standard Contractual Clauses, but also the Privacy Shield. The outcome may have very significant implications on your business whether you use the Privacy Shield or Standard Contractual Clauses, as detailed below.

Privacy Shield

The ruling from Europe's highest court How this affects your business
The Privacy Shield framework is invalid.It does not provide adequate protection for the personal data of EU residents which is transferred into the US. The  UK data regulator (the “ICO”) has said that businesses already using the Privacy Shield may continue to do so, pending further guidance from that regulator. If you currently use the Privacy Shield, you should therefore:
  • Consider alternatives to legitimise their transfers of EU personal data to the US. These could include using: (i) SCCs (but see our comments below); (ii) Binding Corporate Rules; (iii) bespoke contractual terms approved by data regulator; or (iv) exemptions available under GDPR.
  • Monitor developments in this area. We await guidance from the ICO in this area. Furthermore, another CJEU judgment regarding the use of this framework is due in the coming months, and swift action may need to be taken once its conclusions have been published.

Standard Contractual Clauses

The ruling from Europe's highest court How this affects your business
The SCCs are fit for purpose.When used properly, their provisions guarantee an appropriate level of protection for EU personal data.However,
  • each data controller must decide whether the SCCs offer adequate protection for EU personal data in the context of the law of the non-EU country into which the data is transferred.
  • if a data regulator (such as the ICO) decides that the laws of a particular country do not adequately protect the transferred data, it should revoke all data transfers to that country under SCCs.
If you currently use SCCs, you should:
  • Consider whether the recipient country has laws that support use of the Standard Contractual Clauses.For example, it is not now clear whether US law offers adequate protection under SCCs, given the grounds on which the CJEU has invalidated the Privacy Shield.
  • Monitor any guidance or decisions taken by the ICO in the coming months regarding the use of SCCs in the context of the recipient countries where you are using them.
  • Review your Brexit planning.The EU recently reminded us that transfers from the EU to the UK will need proper safeguards if the EU deems the UK “non-adequate” for data protection purposes post-Brexit. It is not clear whether SCCs will be a valid mechanism; do not view them as a “sticking plaster” without further thought. Businesses that have not already reviewed their international data transfer arrangements should do so now, so they can make any changes prior to 31 December 2020.and
  • Stop using SCCs if not satisfied that the recipient country's laws support them.
If you'd like to discuss further any issues relating to the manner in which you transfer personal data, please do get in touch with our data specialists:Luke DixonPartner 0345 404 NealePartner 0345 077 HoughtonPartner 0345 070 SuttieDirector 0345 128 Richmond-CogganDirector 0186 578


The content of this page is a summary of the law in force at the date of publication and is not exhaustive, nor does it contain definitive advice. Specialist legal advice should be sought in relation to any queries that may arise.