EU-US Privacy Shield invalid: Schrems II


In a bombshell decision in Schrems II released earlier today, the Court of Justice of the European Union (CJEU) found that the Commission decision finding the EU-US Privacy Shield to be adequate for transferring personal data to the U.S. is invalid. In what can only be seen as a double whammy, the CJEU also ruled that transferring personal data to the U.S. pursuant to standard data protection clauses adopted by the Commission could also be found to be invalid by local data protection authorities. For more detail about the decision, see the blog post by Michael Scherman and Keith Rose of McCarthy Tetrault, Schrems II: The Saga Continues.

The Schrems II decision followed the 2015 Schrems I decision of the CJEU that struck down the framework that underpinned the EU-US privacy safe harbor.

The Schrems II decision will have significant consequences for transfers of personal information from the EU to the U.S. It will directly affect Canadian companies including multinationals that do business in the U.S. and transfer personal information to the U.S. from the EU for processing or other uses. The decision also reinforces the risk that arose after Schrems I that the adequacy finding PIPEDA enjoys will one day be revisited.

Companies that transfer personal data from the U.S. should review the basis for the transfers. This should include reviewing major agreements with processors, outsourcers and hosting providers to ensure that all transfers to the U.S. may be lawfully continued.

For questions about the implications of the Schrems II decision, you may want to call a lawyer in the McCarthy Tetrault Cybersecurity, Privacy & Data Management group.

Print Friendly, PDF & Email

Leave a Reply

Your email address will not be published. Required fields are marked *

OPC position on online reputation: search engines must de-index privacy violating personal informationOPC position on online reputation: search engines must de-index privacy violating personal information



Are search engines subject to PIPEDA? Should they be required to de-index web pages such as when information about an individual is inaccurate, incomplete or outdated, ;or when the linked to information is illegal? Should search ...

%d bloggers like this: