The Court of Justice of the European Union (CJEU), in its decision in the Schrems II case, has invalidated the EU-U.S. Privacy Shield method for cross-border transfer of personal data from the European Union to the United States, citing surveillance practices by U.S. public authorities and inadequate legal recourse to EU individuals.
Standard Contractual Clauses remain alive, but an obligation is imposed on those who control/transfer data to ensure that the legal regime in the relevant destination is such that it allows the transferee to comply with the contractually obligations imposed by the clauses.
The U.S. Department of Commerce responded:
“We have been contact with the European Commission and European Data Protection Board on this matter and hope to be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies, and governments. Data flows are essential not just to tech companies—but to businesses of all sizes in every sector,” said U.S. Secretary of Commerce Wilbur Ross about the CJEU decision in the Schrems II case invalidating the EU-U.S. Privacy Shield transfer mechanism.
“The Department of Commerce will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List. Today’s decision does not relieve participating organizations of their Privacy Shield obligations.”