In a decision with significant implications for international trade and cross-border data flows, the EU’s highest court, the Court of Justice of the European Union, ruled on July 16, 2020, that the EU-U.S. Privacy Shield program, a key legal mechanism used to enable transfers of personal data from the European Union, was invalid, while also potentially requiring additional protections to be implemented when another key transfer mechanism, called Standard Contractual Clauses, is used.
Subsequent guidance published by the European Data Protection Board confirmed that data exporters in the EU and data importers outside the EU have an obligation to assess whether third countries outside the EU that they are transferring personal data to have a level of data protection essentially equivalent to that guaranteed within the EU by the General Data Protection Regulation. Where the assessment, taking into account the relevant laws of the third country and the circumstances of the transfers, shows that there is not such a level of essentially equivalent protection then supplementary measures to provide such a level of protection should be put in place. As a result of the Schrems II decision, international data transfers from the EU by companies and others have been thrown into doubt and further guidance and developments are expected in this highly dynamic situation.
This page provides a variety of substantive resources contributed by our lawyers to keep you informed as to how this decision and subsequent guidance and developments will impact the future of international data flows and the business landscape.