In a landmark decision in what is popularly known as the “Schrems II” case, the Court of Justice of the European Union invalidated the EU-U.S. Privacy Shield, the framework that facilitated the transfers of personal data from the European Union to the United States for thousands of companies. The court cited the breadth of National Security Agency surveillance programs (in connection with FISA Section 702 and Executive Order 12333) and the lack of redress for European individuals in connection with such surveillance of their personal data.
The court also said Standard Contractual Clauses (SCCs), the key mechanism used for cross-border transfers of data from the EU are still alive, “BUT.”
The “BUT” is that the court said that each transferor (exporter of data from the EU ― i.e. you) needs to consider the legal regime in the transferee’s country and determine whether in view of the circumstances of the transfer of each case, it allows the transferor to abide by the requirements of the SCCs to provide adequate protection to EU individuals. This may need to be addressed using supplemental protections which were not listed.
What does this mean for you, a U.S.-based company?