DRI’s For the Defense
On July 16, 2020, the highest court in the EU, the Court of Justice of the European Union (CJEU), revealed its judgment in what is commonly called “Schrems 2.0.” Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (Case C-311/18). This case largely concerned the validity of different methods of cross-border data transfer between the EU and elsewhere, and in particular: EU-US Privacy Shield and Standard Contractual Clauses (SCCs). The popular headline following the decision was that the court struck down Privacy Shield self-certification, which has been a common basis for exporting information out of the EU and into the U.S., but confirmed that SCCs (and Binding Corporate Rules (BCRs), addressed below) largely remained valid, with additional language required to protect data further. Unfortunately, the decision actually casts a shadow of doubt over any reliance on SCCs or BCRs for transfers of data from the EU into the U.S. right now, at least until further guidance is provided.
These materials have been prepared for informational purposes only and are not legal advice. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Internet subscribers and online readers should not act upon this information without seeking professional counsel.