Skip to Main Content
Services Talent Knowledge
Site Search


Our attorneys stay on top of changes in legislation, agency regulations, case law, and industry trends—then craft timely legal alerts to keep clients up to date on legal developments important to their business.

August 27, 2020

European Court Invalidates EU-US Privacy Shield Framework; Revised Contracts May Be Required to Comply With GDPR International Data-Transfer Regulations

The July 20 decision of the Court of Justice of the European Union in Data Protection Commissioner vs. Facebook Ireland and Maximillian Schrems (Case C-311/18) invalidated the EU-US Privacy Shield framework that had been relied on by more than 5,000 US companies to avoid cumbersome data-privacy contracting requirements governing data transfers from the European Union.

Companies that participated in the Privacy Shield or considered participating should revisit their international data-processing agreements or execute new agreements to ensure compliance with the GDPR.

The EU General Data Protection Regulation (GDPR) states that EU data processors and controllers may not transfer personal data outside the European Union unless the receiving party’s country ensures an adequate level of data-privacy protections. Protections are adequate if the receiving country’s domestic law or international commitments provide safeguards similar to those imposed by the GDPR within the European Union. If the receiving party’s country doesn’t have adequate laws or treaties in place, personal data can be transferred outside the European Union only if the individual data exporter has a contract with the data recipient that includes sufficient data protection clauses, including standard clauses adopted by the European Commission. A data exporter or recipient that engages in a transfer without the appropriate legal or contractual safeguards is subject to an enforcement action by the European Commission and substantial penalties.

To satisfy the GDPR legal adequacy requirement—and avoid the significant transactional costs associated with establishing satisfactory contracts between EU data exporters and US data recipients—the US Department of Commerce and the European Commission established the EU-US Privacy Shield framework. Administered by the International Trade Administration within the US Department of Commerce, the Privacy Shield establishes a number of data-privacy principles and requirements that have been accepted as adequate by the European Commission.

To join the Privacy Shield framework and benefit from the adequacy determination, a US-based organization is required to self-certify to the Department of Commerce and publicly commit to comply with the framework’s privacy requirements. While joining the Privacy Shield is voluntary, once an eligible organization makes the public commitment to comply with the framework’s requirements, the commitment is enforceable under US law, and participants who fail to satisfy their obligations are subject to enforcement actions by the Federal Trade Commission.

On July 16, the Court of Justice of the European Union issued a judgment in the Schrems case declaring the Privacy Shield invalid. The court based its decision in large part on its evaluation of US government surveillance laws. According to the court, US law didn’t provide the level of control over use of personal data by public authorities that’s imposed by the GDPR. Consequently, the provisions of the Privacy Shield weren’t adequate to satisfy GDPR requirements.

As a result of the decision, the Privacy Shield framework is no longer a valid mechanism to comply with EU data-protection requirements when transferring personal data from the European Union to the United States. The court didn’t provide for any grace period during which companies can continue transferring data to the United States without a contractual basis for the transfer.

Now that the Privacy Shield has been invalidated, companies transferring personal data from the European Union to the United States (other than transfers within related multinational entities) can only do so pursuant to a contract containing appropriate data-protection clauses, including the standard contractual clauses (SCCs) approved by the European Commission. SCCs include definitions of key terms and language governing the obligations of the data importer and exporter, liability, third-party rights, choice of law, and dispute resolution.

Companies who participated in the Privacy Shield or considered participation to efficiently transfer data from Europe to the United States should revisit their international data-processing agreements to ensure compliance with the GDPR. Barclay Damon’s attorneys can assist by reviewing existing agreements or drafting new contracts to govern international data transfers.

If you have any questions regarding the content of this alert, please contact Charlie von Simson, of counsel, at or another member of the firm’s Cybersecurity Team.


Click here to sign up for alerts, blog posts, and firm news.

Featured Media


Fourth Department Finds Language in 1980 Statute Is Gender Neutral for Purposes of Child Victims Act


Priority of Federal Tax Lien on Personal Property: Secured Lender vs. IRS


COVID-19 Business Interruption Update: New York High Court Affirms in Favor of Insurer


USFWS Introduces General Permit for Bald and Golden Eagle Incidental Take


ORES Executive Director Issues First Denial of Section 94-C Permit Application Following Applicant's Partial Loss of Site Control


New Details About OPWDD Spending in the New York State FY 2025 Executive Budget

We're Growing in DC!

We’re excited to announce Barclay Damon’s combination with Washington DC–based Shapiro, Lifschitz & Schram. SLS’s 10 lawyers, three paralegals, and four administrative staff will join Barclay Damon while maintaining their current office in DC’s central business district. Our clients will benefit from SLS’s corporate, real estate, finance, and construction litigation experience and national energy-industry profile, and their clients from our full range of services.

Read More

This site uses cookies to give you the best experience possible on our site and in some cases direct advertisements to you based upon your use of our site.

By clicking [I agree], you are agreeing to our use of cookies. For information on what cookies we use and how to manage our use of cookies, please visit our Privacy Statement.

I AgreeOpt-Out