The CJEU’s recent decision in Schrems II invalidated the Privacy Shield, but held that standard contractual clauses remain a valid method to protect data exported from the EU. Morgan Jones and Scott Smedresman discuss the practical implications of the decision.
The Court of Justice of the European Union (CJEU, the EU’s highest court) has delivered its long-awaited decision in Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (commonly referred to as Schrems II), invalidating the Privacy Shield as an acceptable method of data export for EU companies into the U.S. but retaining standard contractual clauses (SCCs) as an acceptable method — with a big caveat.
How did the CJEU arrive at these decisions?
The court first looked at what the General Data Protection Regulation (GDPR) required when transferring data to “third countries” or countries outside the EU and countries the European Commission had deemed as providing an “adequate level of protection.” It found that the GDPR required an “appropriate safeguard” to be used to protect the transfer of personal data to one of these third countries, which will provide “a level of protection of fundamental rights essentially equivalent to that guaranteed in the EU…”