Two more US–EU data transfer agreements could be invalidated

This text is automatically translated for your convenience. You can read the text in:

English Swedish (original) Give feedback

Today, the Court of Justice of the European Union (CJEU) begins its review of the validity of Privacy Shield and the Standard Contractual Clauses (SCCs).

These are two important agreements widely used by companies within the European Economic Area (EEA) to legitimize the transfer of personal data to countries outside the EEA.

The case that initiated this review is Schrems 2.0, a continuation of a case (Schrems 1.0) launched in 2013, in which Max Schrems filed a complaint against Facebook for disclosing personal data to the NSA.

The Schrems 1.0 case led the CJEU to invalidate the then-current Safe Harbour framework, and thousands of companies switched to the SCCs. Schrems 2.0 continues this dispute, with Max Schrems questioning the security of the SCCs and Privacy Shield as replacements for Safe Harbour.

Significant risk

There is a significant risk that the CJEU will invalidate Privacy Shield and the SCCs, which would leave many companies without a lawful basis to transfer personal data to third countries. This is exactly what happened the first time this case was heard, in 2015, when Safe Harbour was invalidated.

Our recommendations

We have updated the recommendations in our White Paper on how organizations should plan following the introduction of the GDPR and the CLOUD Act, and now that Privacy Shield and the SCCs may be invalidated.

Download the full background on the security landscape in Europe and how you can secure your data ahead of upcoming EU legislation.

Sources

DLA Piper, 2019-07-01
TechCrunch, 2019-06-24
U.S. Department of Justice, 2019-04

Read the white paper