In its July 16, 2020 decision in Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems, Case C-311/18 (“Schrems II”), the European Union Court of Justice (“ECJ”) upheld European Commission Decision 2010/87 on Standard Contractual Clauses (“SCCs”) as a basis in EU law for transferring personal data to non-EU countries. The ECJ indicated that, going forward, companies relying on SCCs are responsible for determining whether the recipient country’s law concerning government access to data provides privacy protections meeting EU legal standards. The ECJ in Schrems II also invalidated Commission Decision 2016/1250 underlying the EU-U.S. Privacy Shield. The Court found that the Commission’s record underlying Decision 2016/1250 did not establish that privacy protections in U.S. law relating to intelligence agencies’ access to data meet EU legal standards. Notwithstanding this finding, companies transferring data to the United States under SCCs today are responsible for undertaking their own independent analyses of all relevant and current U.S. law relating to intelligence agencies’ access to data, as well as the facts and circumstances of data transfers and any
applicable safeguards, in assessing whether the transfers satisfy EU law.