The Court of Justice of the European Union (CJEU) recently invalidated the EU-U.S. Privacy Shield Framework in its ruling in the Schrems 2 case. The CJEU found that (i) the Privacy Shield does not offer adequate protection to individuals’ privacy rights due to potential broad disclosure of personal data to the U.S. intelligence services/public authorities; and (ii) the Ombudsperson created by the Privacy Shield Framework to address complaints by EU citizens lacks the independence and authority to adopt decisions that bind U.S. intelligence services.
The Privacy Shield was relied on by thousands of companies to transfer personal data from the EU to the U.S. under the General Data Protection Regulation (GDPR). Hence, the Privacy Shield’s invalidation, in combination with the recent guidance by the European Data Protection Board on supplemental measures to guarantee cross-border transfers, means that companies on both sides of the Atlantic need to carefully reconsider their data transfer strategy. This paper will investigate the background that led to the Privacy Shield invalidation, successor of the also invalidated Safe Harbor, and the options available to transfer data between the EU and the U.S. Finally, the paper will discuss recent trends regarding data transfers, including data localization in Europe.