“For many the decision by the CJEU today to invalidate Privacy Shield has been a surprise. There is no appeal and the impact is immediate. There are 5378 companies that have certified under the Privacy Shield and they will clearly know that steps need to be taken to adopt other methods of compliance. The real risk is to companies that do not themselves have Privacy Shield but send personal data to US based suppliers who do rely on Privacy Shield. Under the GDPR both the EU based company and the US based supplier are jointly liable for not putting in alternatives to the Privacy Shield quickly enough.
“Many commentators are saying that the Standard Contractual Clauses (or SCCs) remain unaffected. SCCs are the standard form contract issued by the European Commission which permits the lawful export of personal data from the EEA. However in invalidating the Privacy Shield the CJEU casts doubt upon the protection that EU citizens have under US law, not least because US citizens are not able to bring claims to challenge unlawful surveillance. The export of personal data under the SCCs are not permitted if there is doubt about the law in the destination country. More guidance from the EDPB is critical here to help get companies out of this mess.
“The Schrems II case highlights again the important role of privacy under the Charter of Fundamental Rights of the European Union. After the end of the Brexit transition period on the 31st of December the UK will not be subject to this Charter and will likely have its own bill of rights. In theory, on 1 January the UK could resuscitate the Privacy Shield or a UK version of it and re-instate the easy transfer of personal data to the US. Of course in doing so the EU would not grant the UK “adequate status” but it might be a risk that the UK government thinks is worth taking.”