In an action with major ramifications for data transfers from the European Union (EU) to the United States (U.S.) the Court of Justice of the European Union (CJEU) on July 16 invalidated the EU-U.S. Privacy Shield framework (Privacy Shield), which provided a critical, lawful method for transferring personal data from the EU to the U.S. Entities relying on the Privacy Shield need to act quickly to rework the legal basis for those transfers. The CJEU somewhat limited the impact by finding that the Standard Contractual Clauses (SCCs) remain valid. As a result, transfers based on the SCCs may continue, subject to some additional guidance and caveats from the CJEU.
The CJEU’s finding resolved an appeal from the Irish High Court regarding a case known as Schrems II, initiated by Austrian privacy advocate, Max Schrems. The Irish High Court asked the CJEU for a preliminary ruling on the validity of the SCCs and Privacy Shield. Continue Reading