It’s finally confirmed – standard contractual clauses are in, EU-US Privacy Shield is out!

16th July 2020 Media Law

The landmark ruling in the Schrems II case has just landed, declaring the EU-US Privacy Shield invalid and upholding the standard contractual clauses as valid.

The four main takeaways are:

  1. The EU-US Privacy Shield is now invalidated so it is now an unlawful to transfer personal data to the USA using the Privacy Shield;
  2. Data exporters and importers using the standard contract clauses must verify the level of protection in the 3rd country first. The importer also has a duty to report any issues to the exporter;
  3. EU data protection authorities (the equivalents of the UK’s ICO) have a new role in assessing third countries’ protection and could ban exports of data to certain countries; and
  4. Post Brexit, the UK could be deemed to have inadequate protection given the lack of judicial oversight over the security forces – and this could this lead to a ban on exports of data from the EU to the UK in the future.

Put simply, the CJEU have an issue with the interference of the US national security and law enforcement agencies having priority over the fundamental right of privacy of the persons whose data is transferred to the US, and the surveillance program utilised in the USA. The limitation this places on the protection of personal data in the USA means that the EU-US Privacy Shield is not confined in a way that satisfies the GDPR requirements, and is not limited to what is strictly necessary. As such, the EU-US Privacy Shield has been declared invalid and it can no longer be relied on as a lawful mechanism by which to legitimately transfer data to the US.

This means companies who currently rely on the EU-US Privacy Shield for transferring data to the US will no longer be able to rely on this, and will instead have to consider which alternative legal mechanism to rely on – something easier said than done given the EU’s issues with the US privacy legal system.

The EU issued a press release about the judgement which can be found here.

So why does this matter? Thousands of companies, including major global tech companies like Facebook, Google, and Microsoft, send personal data from the EU to the US on a frequent basis. US law obliges certain technology companies to give its surveillance service access to the personal data that they process in the US, for reasons of national security. This clearly goes against the EUs stance that data protection rights should prevail over unnecessary interference by the government. This decision by the CJEU will mean that companies who currently transfer data from the EU to the US will have to reconsider which valid legal mechanism they can use in order to transfer this personal data legally to the US. Moreover, any data exporter or importer of personal data seeking to rely on the SCCs as a method of transfer will have to verify the level of protection in the third country first, before making the transfer.

What is also interesting about the judgment is that the CJEU have made it clear that they will allow the equivalents of the ICO to suspend or prohibit transfers of personal data to certain countries where they believe the protection afforded by the GDPR in the EU cannot be complied with in that third country, meaning the ICO could effectively ban exports of data to particular countries.

Finally, it also raises the question about what will happen post-Brexit to the UK – will the EU deem the UK to have adequate protection if there continues to be a lack of judicial oversight over the security forces and surveillance of the public? This remains to be seen.

To help businesses plan ahead as a result of the Schrems II judgment, and the forthcoming end of the Brexit transition period, we have put together the following tips: 

  1. Now is a good opportunity to review your flows of personal data, and to identify any key transfers from the EEA/US to the UK.
  2. You should review the mechanisms you currently rely on for transferring personal data, and in particular should seek to revise your SCCs when the new versions are released by the EU.
  3. If you are a multinational business, you should consider your use of any existing EEA-approved binding corporate rules to make transfers into and out of the UK – these will need to be updated to reflect that the UK becomes a third country at the end of the transition period.
  4. You should update your documentation and privacy notices to expressly cover UK to EEA data transfers under UK adequacy regulations.
  5. If you currently transfer data between the UK and the US using the Privacy Shield method, you will need to reconsider the mechanism by which you can continue to transfer the data validly to the US.
  6. If you are a UK-based controller or processor with no offices in the EEA, but you are offering goods or services to individuals in the EEA, or monitoring the behaviour of individuals in the EEA, you will need to consider whether you must appoint a European representative under Article 27 of the GDPR. This representative will need to be set up in an EU or EEA state where some of the individuals whose personal data you are processing in this way are located. The reverse applies if you are an EEA-based controller or processor with no offices in the UK; i.e you will need to set up a representative office in the UK if you are not established there.
  7. Similarly, if you are a controller or processor based outside of the EEA but you are offering goods or services to individuals in the UK, or monitoring the behaviour of individuals in the UK, you will need to consider appointing a representative in the UK.
  8. Generally, you will need to review your privacy notices, data protection impact assessments, and other documentation to update references to EU law, UK-EU transfers, EU-US Privacy Shield, and your EU representative (if applicable).

JMW Solicitors can offer assistance for businesses who require representatives in either the UK or the EU, and are able to act as a representative on behalf of a business in both of these regions. If you have any questions regarding the above, do get in touch and we will assist you in ensuring that your business remains compliant.

We're Social

Hannah Ife is an Associate Solicitor located in Londonin our Data Protection department

View other posts by Hannah Ife

Toni Vitale is a Partner and Head of Data Protection, located in London, in our Data Protection department

View other posts by Toni Vitale

Let us contact you


COVID-19 Update - Our website and phone lines are operating as normal and our teams are on hand to deal with all enquiries. Meetings can be conducted via telephone and video conferencing.

View our Privacy Policy

Areas of Interest