Data transfers under the GDPR to the US after the Court of Justice of the European Union’s decision in the Schrems II case

Published June 1st, 2021

On 1 August 2016, the EU-US Privacy Shield (Privacy Shield) framework become operational. This allowed organisations in the European Union (EU) to transfer personal data to certified organisations in the United States (US) without the need for further safeguards.

An organisation was first required to be certified under the Privacy Shield before it could receive personal data from the EU.

On 16 July 2020, the Privacy Shield was pierced after the Court of Justice of the European Union determined that the mechanism was not a valid mechanism to transfer personal data (known as the Schrems II case).

The result of the Schrems II case meant that organisations relying on the Privacy Shield must now use an alternative mechanism to provide appropriate safeguards for the protection of personal data transferred outside of the EU (such as an agreement containing the European Commission’s standard contractual clauses).

There have since been several court judgments on what constitutes appropriate safeguards when transferring personal data from the EU to the US.

The U.S. Department of Commerce and the European Commission have initiated discussions to evaluate the potential for an enhanced privacy shield to comply with the Schrems II decision.