by Friedrich Popp, Robert Maddox, Christopher Garrett, Fanny Gauthier, Jeffrey P. Cunard, Luke Dembosky, Jeremy Feigelson, Avi Gesser, Jim Pastore, Thomas Schurrle, Alexandre Bisch, and Anna Gressel
Yesterday, the Court of Justice of the European Union (CJEU), the EU’s highest court, invalidated the EU-U.S. Privacy Shield for cross-border transfers of personal data. The CJEU’s decision also cast significant doubts over whether companies can continue to use the European Commission-approved Standard Contractual Clauses (SCCs) to transfer EU personal data to the U.S., or to other jurisdictions with similarly broad surveillance regimes. The CJEU’s lengthy decision is here and its short-form press release is here (PDF: 319.62 KB).
What does this mean for organizations that rely on Privacy Shield or SCCs? History suggests that privacy enforcement authorities in the EU may hold their fire while efforts are made to come up with a replacement system for data transfers. EU authorities hopefully will clarify their enforcement intentions soon. In any event, organizations that have relied on Privacy Shield will have to turn immediately to considering what practical alternatives they might adopt. U.S. government authorities will also have to turn to the knotty question of what data transfer mechanisms might ever satisfy the CJEU, given persistent EU concerns about U.S. government surveillance of personal data.