The recent Schrems II decision by the Court of Justice of the European Union found that the EU-U.S. Privacy Shield is invalid. TrustArc’s Paul Breitbarth offers guidance for companies on how to maintain compliance going forward.
Thousands of businesses regularly transfer personal data between EU countries and the U.S. The Privacy Shield agreement governed those transfers, but in July, the European Court of Justice (CJEU) invalidated the agreement in what is colloquially known as the Schrems II case. Schrems II also forced the court to examine standard contractual clauses (SCCs), mechanisms for transferring personal data between the U.S. and the EU. Organizations are now left with more questions than answers when it comes to the international transfer of personal data.
What is Schrems II and why does it matter?
In the context of commercial data privacy concerns, that Privacy Shield is no longer valid is important. However, invalidation was collateral damage from the two legal cases that bear privacy advocate Maximilian Schrems’ name. The Schrems cases were about data transfers, specifically from EU member states to the U.S., by a large technology organization.
The latest ruling represents the Irish Data Protection Commissioner’s (DPC) mandate that the organization cease data transfers from the EU to the…