The General Data Protection Regulation (GDPR), Europe’s restrictive data protection law, permits the transfer of personal data from the European Economic Area1 (EEA) to other countries only under limited circumstances. On July 16, 2020, the Court of Justice of the European Union (CJEU or Court) issued a highly anticipated decision in a case brought by Maximillian Schrems, an Austrian privacy advocate, who challenged Facebook Ireland’s reliance on standard contractual clauses (SCCs) as a legal basis for transferring his personal data to Facebook, Inc. in the United States (U.S.). The Court’s decision has two significant results:
- It upheld SCCs (with conditions); and
- It invalidated the EU-U.S. Privacy Shield Framework (Privacy Shield).
Companies commonly use these two mechanisms to facilitate the transfer of personal data from the EEA to the U.S. under the GDPR.2 Notably, this decision has far-reaching effects because many U.S.-based companies are subject to the GDPR (even those who have offices only in the U.S.) and/or engage in cross-border data transfers that are subject to the GDPR, sometimes without even realizing it – e.g., by e-mailing or mailing data to recipients located outside of the EEA, hosting data on servers in the EEA (but making that data accessible to individuals in the United States), using service providers located in the EEA, acting as a service provider to companies in the EEA, or collecting data of individuals in the EEA through a website. For insights into what these developments may mean for the future of consumer privacy and cybersecurity, please see our latest Client Alert.
[1] The EEA includes all European Union countries as well as Iceland, Liechtenstein and Norway.
[2] Data Protection Commissioner v Facebook Ireland Ltd, Maximilian Schrems and intervening parties, Case C-311/18.