The European Court of Justice (“ECJ”) issued a landmark ruling earlier today that invalidates the EU – US Privacy Shield Framework (“Privacy Shield”) in Case C-311/18 (“Schrems II”). Prior to the ECJ’s ruling in this case, the Privacy Shield served as an approved “adequacy” mechanism to protect cross-border transfers of personal data from the European Union to the United States. The focus of the Court’s concern did not relate to the commercial aspects of Privacy Shield (e.g., the substantive privacy rules followed by participating US companies) but rather to the ability of US intelligence agencies to gather data under current US law and practice without providing, in the Court’s view, sufficient privacy protections for EU residents.
Importantly, the Court did not invalidate the European Commission decision approving certain standard contractual clauses for transfers to data processors (“SCC C2P”). However, the rationale behind the Court’s ruling on Privacy Shield would suggest that companies will need to evaluate their use of SCC C2Ps, and in particular, whether the clauses are sufficient to protect personal data transfers in instances where the law of the third country allows its public authorities to access such information.
In our Baker McKenzie Global Privacy and Data Security virtual conference today, we unpack first impressions on the Schrems II ruling, including the impact and next steps for companies to consider regarding transfers to the United States and other third countries.