linked in


December 2020

You Can’t Get There from Here: Did the EU Just Outlaw Almost All Transfers of Personal Data to the U.S.?

By Roy Wyman, Colton Driver, CIPP/E

DRI’s For the Defense

On July 16, 2020, the highest court in the EU, the Court of Justice of the European Union (CJEU), revealed its judgment in what is commonly called “Schrems 2.0.” Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (Case C-311/18). This case largely concerned the validity of different methods of cross-border data transfer between the EU and elsewhere, and in particular: EU-US Privacy Shield and Standard Contractual Clauses (SCCs). The popular headline following the decision was that the court struck down Privacy Shield self-certification, which has been a common basis for exporting information out of the EU and into the U.S., but confirmed that SCCs (and Binding Corporate Rules (BCRs), addressed below) largely remained valid, with additional language required to protect data further. Unfortunately, the decision actually casts a shadow of doubt over any reliance on SCCs or BCRs for transfers of data from the EU into the U.S. right now, at least until further guidance is provided.