In a much-anticipated landmark ruling today, the Court of Justice of the European Union (CJEU) invalidated the US-EU Privacy Shield framework as a legal basis for cross-border data transfers between the two jurisdictions.

As background, this decision comes in the wake of an earlier invalidation, in 2015, of the US-EU Safe Harbor framework known as the Schrems I case. Coming on the heels of NSA contractor Edward Snowden’s disclosures of the bulk collection surveillance in the United States, Schrems I underscored the tension between American surveillance laws and European privacy rights. As a result of that decision, the US and EU created the Privacy Shield framework, which was intended to address that tension and provide new safeguards to European residents whose data was transferred to the United States.

In the years since Schrems I, we have seen significant shifts in the data privacy landscape. Arguably the most notable change has been the enactment of GDPR, specifying numerous individual privacy rights and also enabling a handful of legal data transfer mechanisms. In practice, three of these mechanisms have tended to compete in roughly the same space: standard contractual clauses (SCCs), binding corporate rules (BCRs), and Privacy Shield.

The CJEU’s decision today in Schrems II amounts to a determination that Privacy Shield is no longer sufficient to protect the data of EU citizens. As for standard contractual clauses, the court today said they remain adequate, but that organizations must now apply additional scrutiny in evaluating the legal protections in the receiving country, and in some cases to consider including even greater protections in their contracts.

The implications of this decision are extremely significant. And today there are more questions than answers. For example, how do companies now assess whether a country has “adequate protections” in place to legally support the use of SCCs? To what extent the risk landscape now changed? How will this decision expand the proliferation of private litigation? Will data localization become a more cost-effective strategy due to its risk-minimizing effect? Finally, what impact will this decision have on the building momentum in the United States toward a more comprehensive federal data privacy legislation?

Despite so many unanswered questions, there are a number of sensible next steps organizations can take to move ahead from this decision.

  • First, consult with the right external experts and internal stakeholders to gain a better understanding of how Schrems II will affect the organization’s particular risk landscape. For example, this could include working with internal IT and InfoSec teams to review existing data maps and/or consulting with data privacy experts to assess whether a receiving country has adequate protections to support current SCCs.
  • Second, organizations should communicate the implications of today’s decision to senior leadership as soon as possible, since the impacts are likely to be significant and planning and documentation will be key going forward.
  • And finally, organizations need to begin assessing and developing an action plan to address this changed landscape.