The Privacy Shield is Broken. What Do We Do Now?

16.07.2020 - The Court of Justice of the European Union (CJEU) has delivered on 16 July 2020 its judgment in CJEU case C-311/18 (also known as “Schrems II” case).

European telecommunication network connected over Europe, France, Germany, UK, Italy, concept about internet and global communication technology for finance, blockchain or IoT, elements from NASA

Roxana Ionescu, Madalina Bucur & Simona Furnica

The Court of Justice of the European Union (CJEU) has delivered on 16 July 2020 its judgment in CJEU case C-311/18 (also known as “Schrems II” case).

As we anticipated in the article published while waiting for the judgment, CJEU has not only ruled on the validity of the Commission’s standard contractual clauses (SCCs), but also decided the fate of the EU-US Privacy Shield framework.

What did CJEU decide in the Schrems II case?


In a nutshell:

  1. The EU-US Privacy Shield framework was invalidated, as, among others, the US public authorities access and use of the data transferred are not governed by requirements equivalent with those under the EU law and data subjects are not granted with actionable rights before the courts against the US authorities.
  2. The SCCs are a valid mechanism of transfer under GDPR, but not without restrictions, since starting from now:
    • prior to any transfer of personal data based on the SCCs, both the exporter and the importer have to verify whether the level of protection required by EU law is ensure in that third country;
    • such evaluation should take into consideration (i) the contractual clauses agreed between the parties and (ii) any relevant aspect of the legal system of the third country in relation to any access by public authorities of that third country.
  1. The supervisory authorities must have an active role on data transfers, since CJEU regulated that:
  • unless there is a valid Commission adequacy decision, the supervisory authorities are required to suspend or prohibit a data transfer to a third country pursuant to SCCs if two cumulative conditions are met:
    • in the view of that supervisory authority and in the light of all the circumstances of that transfer, those SCCs are not or cannot be complied with in that third country, and
    • the protection of the data transferred that is required by EU law cannot be ensured by other means, where the data exporter established in the EU has not itself suspended or put an end to such a transfer.
What does the CJEU judgment in Schrems II case mean for the companies?


  • It is no longer lawful to rely on the EU-US Privacy Shield framework to legitimize data transfers to the US.
  • Controllers who rely on SCCs have more obligations as they must verify whether the level of protection required by EU law is ensured in the third country where it is intended to transfer the data.

Until a feasible solution is found, on a case by case scenario, certain severe decisions may need to be made by companies (e.g., temporary cease the transfer of data to third countries) to avoid fines under GDPR and compensation claims from data subjects whose data are being transferred.

What to do next?


Companies may consider taking at least the following measures, if not already done by now (at least partially), as recommended in our previous article:

  1. Identify and map all data transfers outside the EEA which are based on SCCs and on the EU-US Privacy Shield framework;
  2. Suspend or temporary cease the data transfers based on the EU-US Privacy Shield framework, at least until the following measures are checked;
  3. In case of data transfers based on the SCCs, evaluate whether the level of protection required by EU law is ensured in that third country by taking into account both the contractual clauses agreed the data importer, as well as any potential access to data by public authorities of the third country and the legal system of that third country in relation to such access. Depending on the outcome of the evaluation, suspend or temporary cease the transfer, at least until the following measures are checked;
  4. Assess the importance of these data transfers for the business operations;
  5. Try to identify alternatives which would not require further transferring the personal to a third country;
  6. Assess the costs and formalities thereof relating to such alternatives and the business needs;
  7. Review the agreements in place with data importers to ensure proper protection of the personal data transferred, the remedies and risks if the agreements could no longer be executed;
  8. Check if other safeguards (e.g., Binding Corporate Rules) are appropriate or feasible to rely on; assess the formalities that have to be undergone for putting in place such other safeguards;
  9. Initiate discussions with data importers to take their pulse in this matter;
  10. Assess the derogations under Article 49 of GDPR, if none of the above solutions are applicable;
  11. Prepare for receiving more data subject’ access requests than current numbers; Customer intensive sectors, such as banking, insurance, online retail, are expected to see the highest number of such requests based on current Romanian market trends;
  12. Review action plans that may have been adopted in the context of Safe Harbor invalidation, especially if they have proven to be useful in that instance;
  13. Make the management aware of the risks and present actions plan to mitigate such.

Since CJEU has passed the ball to the supervisory authorities, companies may expect their public statements on the CJEU judgment, which can be a useful resource.