The Schrems II judgement of the Court of Justice of the European Union (CJEU) makes the transfer of personal data to the US from the EU close to legally impossible. The Court has struck down Privacy Shield as incapable of providing sufficient protection for the personal data of EU citizens transferred to the US and has severely constrained the use of Standard Contractual Clauses (SCCs) as an alternative way of doing so.

The Court’s judgement is rooted in the belief that there is a significant disconnect between the EU’s emphasis on data privacy as a fundamental right, and the US’s stress on the national security imperative for its intelligence agencies to be able to access data transferred to the US. (See here for a useful summary of the background to the case).

The bottom line takeaway from the CJEU’s decision is that, no matter what procedure is used, it is illegal to transfer the personal data of EU citizens to third countries if that data cannot be protected to the standards that the EU demands when it arrives in that country.

The CJEU, in line with the Charter of Fundamental Rights and the wording of the GDPR, has prioritised data privacy over economic considerations. Whether an appropriate balance has been struck is for European politicians to decide.

Continue reading →