Today, the Court of Justice of the European Union issued a landmark decision striking down the EU-U.S. Privacy Shield—an agreement between EU and U.S. authorities authorizing transfers of EU personal data to the United States—but upholding the validity of standard contractual clauses (“SCCs”), another mechanism that EU-based organizations use to transfer data internationally. Covington represents BSA | The Software Alliance (“BSA”) in the case, and key aspects of BSA’s arguments on the validity of SCCs were reflected in the Court’s decision.

The Court’s judgment, in Case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (“Schrems II”), holds that the Privacy Shield does not take adequate account of U.S. laws authorizing public authorities to access data transferred from the EU to the United States. The Court also concludes that the ombudsperson mechanism referred to in the Privacy Shield Decision does not provide effective administrative or judicial redress for the data subjects concerned.  The Court holds therefore that the Privacy Shield does not provide protections that are “essentially equivalent” to those set out in EU law — and invalidated the Privacy Shield with immediate effect. The judgment essentially decides the outcome of a separate case pending before the Court, Case T-738/16, La Quadrature du Net and Others v. Commission, which focused directly on the validity of the Privacy Shield, and in which Covington also represented BSA.

In a separate part of its judgement, the Court upheld the validity of the SCCs, which many EU entities currently rely on to transfer data internationally. The Court added, however, that use of the SCCs requires an a priori compliance assessment of the context of each individual transfer, including the laws of the country where the recipient is based and any additional safeguards adopted by the parties. In the Court’s words, EU law requires entities relying on the SCCs “to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses.”  (para. 134)

The Schrems II judgment will require many EU data controllers to reassess, and in some cases adapt, the mechanisms they use to transfer data internationally, not just to the United States but potentially to other foreign countries as well.

For more information on the background, please see our previous blog post on the AG’s Opinion here and prior press release on the oral hearing here.

The Covington team representing BSA in these cases is led by partner Lisa Peets and includes Brussels and London lawyers Kristof Van Quathem, Bart Van Vooren, and Sam Jungyun Choi. Companies with questions on the impact of today’s decision should feel free to reach out to any member of the team.

Tags: EU-U.S. Privacy Shield, European Union (EU), General Data Protection Regulation (GDPR), Standard Contractual Clauses (SCCs)
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Lisa Peets Lisa Peets

Lisa Peets leads the Technology Regulatory and Policy practice in the London office and is a member of the firm’s Management Committee. Lisa divides her time between London and Brussels, and her practice embraces regulatory counsel and legislative advocacy. In this context, she…

Lisa Peets leads the Technology Regulatory and Policy practice in the London office and is a member of the firm’s Management Committee. Lisa divides her time between London and Brussels, and her practice embraces regulatory counsel and legislative advocacy. In this context, she has worked closely with leading multinationals in a number of sectors, including many of the world’s best-known technology companies.

Lisa counsels clients on a range of EU law issues, including data protection and related regimes, copyright, e-commerce and consumer protection, and the rapidly expanding universe of EU rules applicable to existing and emerging technologies. Lisa also routinely advises clients in and outside of the technology sector on trade related matters, including EU trade controls rules.

According to the latest edition of Chambers UK (2022), “Lisa is able to make an incredibly quick legal assessment whereby she perfectly distils the essential matters from the less relevant elements.” “Lisa has subject matter expertise but is also able to think like a generalist and prioritise. She brings a strategic lens to matters.”

Read more about Lisa PeetsEmail
Show more Show less
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Read more about Kristof Van QuathemEmail
Show more Show less
Photo of Bart Van Vooren Bart Van Vooren

Bart Van Vooren has a broad life sciences practice supporting innovative pharmaceutical, food, medtech and biotech companies on EU regulatory, commercial and strategic policy assignments. He is widely recognized for his expertise on general EU law and procedure, as well as his extensive…

Bart Van Vooren has a broad life sciences practice supporting innovative pharmaceutical, food, medtech and biotech companies on EU regulatory, commercial and strategic policy assignments. He is widely recognized for his expertise on general EU law and procedure, as well as his extensive litigation experience before the EU Court of Justice in dozens of cases.

Over the past seven years, Mr. Van Vooren has developed a niche practice on compliance with the Biodiversity Convention and the Nagoya Protocol, a set of rules to combat bio-piracy worldwide. He has accumulated unique, practical experience in dozens of jurisdictions around the world, and has handled everything from benefit-sharing negotiations, over compliance programs, to inspections by authorities.

Finally, Mr. Van Vooren has an active pro bono practice assisting NGOs defending the human rights of persons with a disability through strategic litigation.

Read more about Bart Van VoorenEmail
Show more Show less
Photo of Marty Hansen Marty Hansen

Martin Hansen has represented some of the world’s leading information technology, telecommunications, and pharmaceutical companies on a broad range of cutting edge international trade, intellectual property, and competition issues. Martin has extensive experience in advising clients on matters arising under the World Trade…

Martin Hansen has represented some of the world’s leading information technology, telecommunications, and pharmaceutical companies on a broad range of cutting edge international trade, intellectual property, and competition issues. Martin has extensive experience in advising clients on matters arising under the World Trade Organization agreements, treaties administered by the World Intellectual Property Organization, bilateral and regional free trade agreements, and other trade agreements.

Drawing on ten years of experience in Covington’s London and DC offices his practice focuses on helping innovative companies solve challenges on intellectual property and trade matters before U.S. courts, the U.S. government, and foreign governments and tribunals. Martin also represents software companies and a leading IT trade association on electronic commerce, Internet security, and online liability issues.

Read more about Marty HansenEmail
Show more Show less
Photo of Sam Jungyun Choi Sam Jungyun Choi

Sam Jungyun Choi is an associate in the technology regulatory group in the London office. Her practice focuses on European data protection law and new policies and legislation relating to innovative technologies such as artificial intelligence, online platforms, digital health products and autonomous…

Sam Jungyun Choi is an associate in the technology regulatory group in the London office. Her practice focuses on European data protection law and new policies and legislation relating to innovative technologies such as artificial intelligence, online platforms, digital health products and autonomous vehicles. She also advises clients on matters relating to children’s privacy and policy initiatives relating to online safety.

Sam advises leading technology, software and life sciences companies on a wide range of matters relating to data protection and cybersecurity issues. Her work in this area has involved advising global companies on compliance with European data protection legislation, such as the General Data Protection Regulation (GDPR), the UK Data Protection Act, the ePrivacy Directive, and related EU and global legislation. She also advises on a variety of policy developments in Europe, including providing strategic advice on EU and national initiatives relating to artificial intelligence, data sharing, digital health, and online platforms.

Read more about Sam Jungyun ChoiEmailSam Jungyun's Linkedin Profile
Show more Show less