The European Court of Justice (“ECJ”) issued a landmark ruling earlier today that invalidates the EU – US Privacy Shield Framework (“Privacy Shield”) in Case C-311/18 (“Schrems II”).  Prior to the ECJ’s ruling in this case, the Privacy Shield served as an approved “adequacy” mechanism to protect cross-border transfers of personal data from the European Union to the United States. The focus of the Court’s concern did not relate to the commercial aspects of Privacy Shield (e.g., the substantive privacy rules followed by participating US companies) but rather to the ability of US intelligence agencies to gather data under current US law and practice without providing, in the Court’s view, sufficient privacy protections for EU residents. 

Importantly, the Court did not invalidate the European Commission decision approving certain standard contractual clauses for transfers to data processors (“SCC C2P”). However, the rationale behind the Court’s ruling on Privacy Shield would suggest that companies will need to evaluate their use of SCC C2Ps, and in particular, whether the clauses are sufficient to protect personal data transfers in instances where the law of the third country allows its public authorities to access such information.

In our Baker McKenzie Global Privacy and Data Security virtual conference today, we unpack first impressions on the Schrems II ruling, including the impact and next steps for companies to consider regarding transfers to the United States and other third countries. 

Click here to watch the full discussion

For more on Schrems II, visit our Schrems II Resource Hub.

Author

Elisabeth is a partner in Baker McKenzie's Brussels office. She advises clients in all fields of IT, IP and new technology law, with a special focus on data protection and privacy aspects. She regularly works with companies in the healthcare, finance and transport and logistics sectors.

Author

Joanna advises on a wide range of technology and commercial agreements and matters. Her practice focuses on regulatory issues, especially data protection, consumer law, and advertising and marketing, and she regularly advises clients on these areas in particular.

Author

Dr. Lukas Feiler, SSCP, CIPP/E, has more than eight years of experience in IP/IT and is a partner and head of the IP and IT team at Baker McKenzie • Diwok Hermann Petsche Rechtsanwälte LLP & Co KG in Vienna. He is a lecturer for data protection law at the University of Vienna Law School and for IT compliance at the University of Applied Science Wiener Neustadt.

Author

Francesca Gaudino is the Head of Baker McKenzie’s Information Technology & Communications Group in Milan. She focuses on data protection and security, advising particularly on legal issues that arise in the use of cutting edge technology.

Author

Brian provides advice on global data privacy, data protection, cybersecurity, digital media, direct marketing information management, and other legal and regulatory issues. He is Chair of Baker McKenzie's Global Data Privacy and Security group.

Author

Julia advises both German and international companies on all legal issues related to information technology, sourcing, data privacy and data protection, e-commerce, marketing and matters related to Internet and media law. She assists international online businesses with regard to commercial issues as well as compliance with consumer protection and data privacy law.

Author

Wouter is a partner in the Firm's IP/IT & Commercial Practice Group in Amsterdam. He has significant experience in assisting national and international clients with respect to issues concerning ownership and protection of electronic data. Wouter has a particular interest in all internet-related issues on the subject of intellectual property rights.

Author

Florian Tannen is a partner in the Munich office of Baker McKenzie. He advises on all areas of contentious and non-contentious information technology law, including internet, computer/software and data privacy law.