The Court of Justice of the European Union has delivered its eagerly awaited decision, in Schrems II (Case C-311/18).
Why is the case important?
Schrems II calls into the question the ability of companies to lawfully transfer data from the EU to the United States (US) and other countries.
The GDPR contains strict rules on transferring data from the EU to third countries, and this case deals with the compatibility of these rules with surveillance laws in other countries.
What has the Court decided?
The headline outcome is that:
- The Privacy Shield decision is invalid with immediate effect – this means that companies can no longer rely on a Privacy Shield certification when transferring personal data to the US.
- Standard contractual clauses (SCCs) are valid – but their use is subject to certain pre-conditions and ongoing obligations.