Privacy Shield: International data transfers and the Schrems II ruling
HomePrivacy Shield: International data transfers and the Schrems II ruling
The international transfer or sharing of corporate, consumer or employee data is critical to the business operations of multinational corporations across industries. The future of international data flows and use of data transfer mechanisms has been called into question by the Court of Justice of the European Union (CJEU) in its recent ruling invalidating the EU-U.S. Privacy Shield. This has become widely known as the "Schrems II" decision. In addition to invalidating the Privacy Shield, the CJEU has placed some conditions on the use of standard contractual clauses (SCCs), which is an alternative legal mechanism for safeguarding personal data transferred outside the EU. It is currently unclear whether a grace period for enforcement will be granted and there are a myriad of considerations in determining an alternative safeguarding mechanism.
Our global data protection team can help you develop truly worldwide internal and external data transfer strategies, including conducting privacy and security assessments to evaluate human resources procedures, monitoring, marking and advertising practice, and crafting mechanisms to transfer data using binding corporate rules (BCR), model contracts, and other methods. Our remediation toolkit has been designed for companies that were relying on the Privacy Shield as a safeguard under the GDPR to transfer personal data to the United States (either directly as an importer or exporter, or indirectly as part of its supply chain).