The Court of Justice of the European Union (CJEU)’s historic decision in Schrems II, in which the EU-U.S. Privacy Shield was invalidated, requires businesses to rethink the mechanism they can rely on to transfer personal data from the EU to the United States and other countries. However, how the decision will be enforced remains uncertain.
Despite the invalidation of Privacy Shield, the U.S. Department of Commerce issued a statement that it “will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List.” And although the CJEU’s decision in principle upheld the validity of Standard Contractual Clauses (SCCs), the judgment drew reactions from various EU data protection supervisory authorities (DPAs), some calling into question the use of SCCs for EU to U.S. transfers.
Read the full GT Alert, “The End of Privacy Shield: European Data Protection Authorities React.”