Description

On 16 July 2020, the Court of Justice of the European Union (“CJEU”) vide its judgment in the Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems1 (the “Schrems II Case”) held the EU-US Privacy Shield, one of the primary data transfer mechanisms for the safe and free flow of data between EU and US organizations, as invalid. While the CJEU upheld the use of Standard Contractual Clauses (“SCCs”) for transfer of personal information outside European Economic Area (“EEA”), it required that organizations perform a case-by-case analysis to determine whether the laws in the country to which the data is being transferred, ensures adequate protection. For those transfers where the recipient country does not provide adequate protections, the CJEU requires that data exporters provide additional safeguards or suspend transfers.