The European Union’s (EU) highest court has ruled that the so-called “Privacy Shield” Framework is invalid. The Privacy Shield Framework had been negotiated between the EU and the United States to permit U.S. companies operating in the EU to transfer personally identifiable data from the EU to the U.S. without violating the EU’s strict data protection requirements. However, the Schrems II decision underscores the numerous provisions included within standard contract clauses (SCCs) designed to ensure that data transferred pursuant to a SCC is protected in an equivalent manner to data in the EU. Companies desiring to rely on SCCs are advised to engage in a process to assess their level of risk in light of factors highlighted in the ECJ’s opinion.
This latest ruling by the European Court of Justice (ECJ), in Data Protection Commissioner v. Facebook Ireland Ltd. and Maximillian Schrems (Schrems II), No. C-311/18 (ECJ July 16, 2020), stems from a legal challenge brought by an Austrian citizen who claimed that the Privacy Shield did not adequately protect his personal data from transfer into the U.S. and from surveillance by the U.S. government, in violation of the GDPR.
Members of the Center for Workplace Compliance (CWC) can read more here.