How can we help?


Privacy Shield Declared Invalid by CJEU

The CJEU yesterday handed down its long-awaited decision on questions put to it regarding Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (C-311/18) (Schrems 2).

It found that the transfer mechanism used to permit data transfers to the US under the EU-US Privacy Shield is invalid.

It also found that the use of standard contractual clauses, another mechanism used to permit transfers to countries outside the EEA, remains lawful, subject to assessments being conducted of the level of protection afforded in the recipient country.

For those that have been following the Schrems 2 case, its conclusion concerning the validity of Privacy Shield may have come as a bit of surprise.

The A-G’s advisory opinion to the Court on the Schrems 2 case issued in December 2019 did not specifically address the adequacy of the Privacy Shield regime, but focussed on questions concerning the standard contractual clauses.

Privacy Shield

The EU-US Privacy Shield was a compliance regime adopted by the EU in 2016 as an “adequacy decision” under Article 45 of the General Data Protection Regulation (GDPR). This framework enabled EU organisations to transfer data to the US but only to US organisations which were registered with Privacy Shield.

The CJEU determined that certain domestic US laws which allowed surveillance by U.S intelligence services (including the Foreign Intelligence Surveillance Act, Executive Order 12333 and Presidential Policy Directive 28) did not provide for the required limits on the powers granted to intelligence agencies and non-US individuals would not have a right of redress in US courts for any  interference with their personal data. As a result, the Privacy Shield regime could not be sustained, and the previous decision made in 2016 was declared invalid.

Standard Contractual Clauses

Entry into the EU’s standard contractual clauses is not in and of itself enough to ensure that a transfer outside the EEA will be lawful.

Controllers that use SCCs must also ensure that:

  • they “take measures to compensate for the lack of data protection in a third country”;
  • there are safeguards ; and
  • there exists enforceable rights and effective remedies for the data subject (Article 46 (1)).

In light of the CJEU’s findings on the US laws discussed above, it is highly doubtful that the SCC’s can continue to be used as a lawful way of transferring personal data to the US.

Jacob Montague


View profile

+44 118 960 4613

The transfer mechanism used to permit data transfers to the US under the EU-US Privacy Shield is invalid.

What this means

Neither the Privacy Shield framework or potentially the SCCs should be relied upon to permit transfers of personal data to the US.

Apart from very limited circumstances permitted by Article 49 of the GDPR (such as where explicit consent is obtained for specified transfers or for “occasional” transfers necessary for implementation of pre-contractual measures or for performance of a contract) it now appears the majority of transfers from the EEA to US could be unlawful.

Organisations will be in a state of legal limbo until the EU introduces an alternative scheme or approves other measures to allow the continued lawful transfer of personal data to the US.

It remains to be seen what guidance supervisory authorities release to address the legal vacuum.

The ICO has already delivered a very short press statement last night stating that it is currently considering the judgment and that it stands ready to support UK organisations to ensure global data flows can continue and personal data is protected.

Our Privacy and Data Protection Team can provide advice and review of your organisation’s current methods of compliance and provide practical advice concerning what steps should be taken.

About this article

This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

Jacob Montague


View profile

+44 118 960 4613

About this article

Read, listen and watch our latest insights

  • 22 September 2023
  • Employment

Talking Employment Law: New family friendly rights

In this first podcast in the ‘Talking Employment Law’ series, Lucy Densham Brown and Rebecca Dowle, members of the employment team summarise some of the big new family-friendly Bills that are working their way through parliament.

  • 20 September 2023
  • Commercial Real Estate

Commercial buyers beware of residential Stamp Duty Land Tax

This article discusses a recent case in which a property buyer calculated the Stamp Duty Land Tax due on the purchase at a lower rate, due to the mixed-use purpose of the property.

  • 19 September 2023
  • Privacy and Data Protection

Organisations’ use of social media: Data protection

Social media applications (or commonly known as ‘apps’) are being developed all the time and we are constantly being introduced to new social media platforms, some of which take almost no time to gain huge popularity.

  • 14 September 2023
  • Immigration

Entrepreneurial Dreams: What is the Innovator Founder Visa?

In an era defined by innovation and entrepreneurship, the United Kingdom has made a substantial effort towards fostering its reputation as a global hub for start-ups and innovators. The introduction of the UK’s ‘Innovator Founder’ route has marked a pivotal moment in the country’s immigration policy.

  • 11 September 2023
  • Corporate and M&A

Changes to the tax treatment of Employee Ownership Trusts

The government published a consultation on 18 July 2023 seeking the public’s views on its proposals to reform the tax treatment of Employee Ownership Trusts and Employee Benefit Trusts. Parties are invited to express their opinions via email via the government website until the consultation closes on 25 September 2023.

  • 08 September 2023
  • Immigration

Navigating the Latest Immigration Rules for Overstayers in the UK: A Comprehensive Guide for 2023

Staying beyond the expiration of your UK visa is a serious matter that, in most cases, can result in significant and long-lasting repercussions.