Now that several weeks have passed since the Court of Justice of the European Union’s (CJEU) decision in the “Schrems II” case—which struck down the EU-U.S. Privacy Shield—it’s worth taking a moment to reflect on what the decision means and the path forward. In the immediate aftermath of the decision, some wondered what this would mean for cross-border data transfers and whether they remained valid, but upon more analysis, they remain intact—with some caveats. At the same time, given the size and importance of the EU-U.S. trade relationship (over $700 billion in total volume), it is vital that we come together to achieve lasting solutions to help enable appropriate data transfers for the good of society and the economy.
Here are three things that still remain true at this point:
Transfers to the U.S. remain permissible. Privacy Shield was struck down because of concerns about protections of personal data under U.S. law and how EU residents could raise potential complaints. But personal data still can be transferred to the United States. Privacy Shield was an adequacy decision: any transfers of personal data to the U.S. were valid, so long as the transfer was to a company that