Skip to content

Menu

LexBlog, Inc. logo
NetworkSub-MenuBrowse by SubjectBrowse by PublisherBrowse by ChannelAbout the NetworkJoin the NetworkProductsSub-MenuProducts OverviewBlog ProBlog PlusBlog PremierMicrositeSyndication PortalsAbout UsContactSubscribeSupport
Book a Demo
Search
Close

European High Court Invalidates Privacy Shield, but Upholds Standard Contractual Clauses for International Data Transfers Under the GDPR

By Anna Mercado Clark, CIPP/E, CIPP/US, CIPM, FIP on July 28, 2020
Email this postTweet this postLike this postShare this post on LinkedIn

The General Data Protection Regulation (GDPR), Europe’s restrictive data protection law, permits the transfer of personal data from the European Economic Area1 (EEA) to other countries only under limited circumstances. On July 16, 2020, the Court of Justice of the European Union (CJEU or Court) issued a highly anticipated decision in a case brought by Maximillian Schrems, an Austrian privacy advocate, who challenged Facebook Ireland’s reliance on standard contractual clauses (SCCs) as a legal basis for transferring his personal data to Facebook, Inc. in the United States (U.S.). The Court’s decision has two significant results:

  1. It upheld SCCs (with conditions); and
  2. It invalidated the EU-U.S. Privacy Shield Framework (Privacy Shield).

Companies commonly use these two mechanisms to facilitate the transfer of personal data from the EEA to the U.S. under the GDPR.2 Notably, this decision has far-reaching effects because many U.S.-based companies are subject to the GDPR (even those who have offices only in the U.S.) and/or engage in cross-border data transfers that are subject to the GDPR, sometimes without even realizing it – e.g., by e-mailing or mailing data to recipients located outside of the EEA, hosting data on servers in the EEA (but making that data accessible to individuals in the United States), using service providers located in the EEA, acting as a service provider to companies in the EEA, or collecting data of individuals in the EEA through a website. For insights into what these developments may mean for the future of consumer privacy and cybersecurity, please see our latest Client Alert.


[1] The EEA includes all European Union countries as well as Iceland, Liechtenstein and Norway.

[2] Data Protection Commissioner v Facebook Ireland Ltd, Maximilian Schrems and intervening parties, Case C-311/18.

Photo of Anna Mercado Clark, CIPP/E, CIPP/US, CIPM, FIP Anna Mercado Clark, CIPP/E, CIPP/US, CIPM, FIP
Read more about Anna Mercado Clark, CIPP/E, CIPP/US, CIPM, FIPEmail
  • Posted in:
    Privacy & Data Security
  • Blog:
    Data Security & Privacy
  • Organization:
    Phillips Lytle LLP
  • Article: View Original Source

LexBlog, Inc. logo
Facebook LinkedIn Twitter RSS
Real Lawyers
99 Park Row
  • About LexBlog
  • Careers
  • Press
  • Contact LexBlog
  • Privacy Policy
  • Editorial Policy
  • Disclaimer
  • Terms of Service
  • RSS Terms of Service
  • Products
  • Blog Pro
  • Blog Plus
  • Blog Premier
  • Microsite
  • Syndication Portals
  • LexBlog Community
  • Resource Center
  • 1-800-913-0988
  • Submit a Request
  • Support Center
  • System Status
  • Resource Center
  • Blogging 101

New to the Network

  • Tennessee Insurance Litigation Blog
  • Claims & Sustains
  • New Jersey Restraining Order Lawyers
  • New Jersey Gun Lawyers
  • Blog of Reason
Copyright © 2025, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo