Schrems II decision: Privacy Shield invalid, Standard Contractual Clauses survive

The European Court of Justice's judgment in Schrems II case published on 16 July, 2020 founded the Privacy Shield Decision invalid. The judgement also stated that the Commission Decision on Standard Contractual Clauses for the transfer of personal data to processors established in third countries remain valid.

The GDPR provides that the transfer of personal data to a third country may, in principle, take place only if the third country in question ensures an adequate level of data protection. According to the GDPR, the Commission may find that a third country ensures an adequate level of protection. In the absence of an adequacy decision, another frequently used tool is the so-called standard data protection clauses. 

One of the legal bases for the transfer of data to the United States was the so-called Privacy Shield. This provided a mechanism to ensure an adequate level of protection in the case of transfers of personal data to the US. Since the Privacy Shield has been invalidated by the Court, personal data may no longer be transferred to the US based on this adequacy decision.

On 24 July 2020, the EDPB (European Data Protection Board) provided further "guidance" on Schrems II to clarify on how the judgment now needs to be implemented by companies that transfer personal data to countries outside the EEA. The EDPB stressed that the ruling is a 'living document', therefore not conclusive, and that further guidance will be provided.

The EDPB confirmed that Standard Contractual Clauses remain a possible basis for data transfers outside the EEA but emphasised again that a transfer to the US can only be justified via Standard Contractual Clauses if additional measures are taken to ensure the same level of data protection equivalent to the level offered in the European Union. The EDPB stated that the European Court of Justice’s assessment of the invalidity of the Privacy Shield is also applicable regarding BCRs (Binding Corporate Rules), since U.S. law will also have primacy over this tool. This means that a similar case-by-case assessment as that used for Standard Contractual Clauses is required and the above requirements also apply for BCRs.

The EDPB expressed that any data transfer based on the Privacy Shield is illegal and there will be no 'grace period' for data processing on this framework, as the U.S. law does not provide equivalent level of protection as in the EU - according to the Court.