On 16 July, 2020, the Court of Justice of the EU (“CJEU”), issued its decision in the Schrems II case. In short, the CJEU invalidated the EU-U.S. Privacy Shield and clarified that the use of standard contractual clauses (“SCCs”) requires data controllers to conduct a case-by-case assessment of the level of data protection that SCCs can provide, taking into account the nature of the personal data transfer(s) and the country of destination. For a more in-depth summary of the CJEU’s decision, please see our blog post here and our audiocast here.
Now, almost two months after the decision, it is an opportune time for businesses to take stock of what exactly happened and assess the practical implications of the judgement. The result of this impact analysis may be underwhelming for some. So far, European regulators have been mostly silent (save a few exceptions) and have not issued any actionable guidance to speak of. In all fairness, the obligations imposed by the CJEU’s judgement may be just as daunting for regulators to apply in practice as for businesses. As a result, companies and practitioners are left grappling with what exactly they should do in the aftermath of this decision.
In this blog post, we set out some recommendations for immediate and long-term actions that businesses may want to consider implementing. Note, however, that much depends on the nature of the personal data transfers concerned. As can be gleaned from the CJEU’s judgement, some transfers are more sensitive than others, and some sectors are more sensitive than others (in particular, the electronic communications sector). These risk-based considerations should inform how businesses prioritize remedial actions going forward.