The Court of Justice of the European Union issued its decision in “Schrems II” Thursday, a landmark decision that invalidates the EU-U.S. Privacy Shield arrangement. Until July 16, Privacy Shield had served as an approved “adequacy” mechanism to protect cross-border transfers of personal data from the European Union to the United States under the EU General Data Protection Regulation. More than 5,000 organizations participate in Privacy Shield. Many thousands more EU companies rely on Privacy Shield when transferring data to these organizations. Overnight, it seems the certainty of the conditions for the lawful transfer of this data has been removed.

Click here to read more.

Note: This is the first in a series of guidance notes on what the “Schrems II” decision means for companies that rely on EU-U.S. Privacy Shield, controller-to-processor standard contractual clauses, SCCs for transfers to controllers, derogations/exceptions to transfer restrictions, and binding corporate rules, as well as what “Schrems II” means for Brexit and what companies can expect with the road ahead on these issues.

For more on Schrems II, visit our Schrems II Resource Hub.


Brian provides advice on global data privacy, data protection, cybersecurity, digital media, direct marketing information management, and other legal and regulatory issues. He is Chair of Baker McKenzie's Global Data Privacy and Security group.