The Court of Justice of the European Union (CJEU) in a surprise decision invalidated the U.S. Privacy Shield in a case called, Schrems II – a decision important to all companies doing business in the EU and collecting personal data about its residents. It found that the Standard Contractual Clauses (SCC) issued by the European Commission to support the lawful transfer of personal data to processors established outside of the EU are valid. At the same time, the Court unexpectedly invalidated the EU-U.S. Privacy Shield framework.

This decision will require companies to re-examine their approach to transferring data between the U.S and the EU.


In 2015 Max Schrems, an Austrian privacy advocate, filed a complaint with the Irish Data Protection Commissioner (the “Irish DPA”).  In it, he challenged Facebook Ireland’s reliance on the SCCs as a legal basis for transferring personal data to Facebook Inc. in the U.S. The CJEU had invalidated the U.S. – EU Safe Harbor Framework in 2015, and Facebook at that time turned to SCCs to lawfully transfer data to the U.S.

Following the complaint, the Irish DPA brought proceedings against Facebook in the Irish High Court, which referred 11 questions to the CJEU for a preliminary ruling. The questions addressed the validity of the SCCs, but also concerned the EU-U.S. Privacy Shield framework.

The Decision

In its decision, the CJEU stated that the SCCs provide sufficient protection for EU personal data but emphasized that EU organizations relying on them are obligated to actively evaluate, prior to any transfer, whether there is in fact an “adequate level of protection” for personal data in the importing jurisdiction. The CJEU also noted that organizations may implement safeguards in addition to those contained in the SCCs, to ensure an “adequate level of protection” for personal data transferred.  It is unclear, however, what form those additional safeguards companies would need to implement.

In ruling that the Privacy Shield is invalid, the CJEU took the view that the limitations of U.S. domestic law on access of the transferred data by U.S. public authorities is not limited in a way equivalent to EU requirements.  Further, the CJEU found that the EU-U.S. Privacy Shield framework does not grant EU individuals actionable rights equivalent to those required under EU law. On those grounds, the CJEU declared the EU-U.S. Privacy Shield invalid.

Next Steps for Companies

Organizations that currently rely on the EU- U.S. Privacy Shield framework will need to quickly identify an alternative data transfer mechanism to continue transfers of personal data to the U.S. While SCCs remain valid, organizations that currently rely on them will need to consider whether there is an “adequate level of protection” for the personal data as required by EU law. Where that is not the case, organizations should consider what additional safeguards may be implemented to ensure there is in fact an “adequate level of protection.”

This ruling requires almost every U.S. businesses to update some practices and begin to consider more long-term issues likely to impact on our ability to remain competitive in the digital age.  All transfers to the U.S. are going to be subject to heightened scrutiny so it is crucial to get your GDPR compliance in top shape now.  Here are our recommendations for your to do list:

  • Amend data processing contracts to include the EU Standard Contractual Clause (SCC).
  • Review practices in your organization to be in compliance with GDPR, particularly consider the fact that data controllers may request more due diligence prior to transferring data to your company.
  • Revisit and amend the privacy policy to account for the new reality
  • Perform due diligence of “knowing your data” across your organization and third-party partners.
  • Consider if it is appropriate for your business to segregate and confine EU data processing only to servers in the EU & UK. This is difficult for many businesses because of the problem that the US-based business may need access to that data – however, under certain circumstances it may be appropriate.
  • Retain an Article 27 EU Representative if you have not already done so – all U.S. businesses must be ready to respond to regulators through a well-prepared and knowledgeable agent in the E.U. & U.K.
  • Appoint a Data Protection Officer if you process sensitive data or fall into one of the other categories for a mandatory DPO.

Achieved Compliance can help you with any of these tasks, and can act as your Article 27 representative in the E.U. and the U.K..  We also serve as a virtual DPO for clients of all sizes, and in all budget ranges.

Achieved Compliance offers a 30-minute webinar to discuss the ramifications of Scherms II.

Click here to attend ‘The End of Privacy Shield & the Fate of US Processing‘ webinar.