In July 2020, in a case known as Schrems II, the CJEU ruled that aspects of the U.S. national security legal framework did not meet European Union (EU) privacy requirements. The Court invalidated the EU-U.S. Privacy Shield, which had been the mechanism negotiated by the U.S. government and the European Commission under which thousands of businesses transferred personal data to the U.S. Although the Court upheld the validity of “standard contractual clauses” for transferring data, it stated that it was the responsibility of data controllers, processors, and supervisory authorities to verify, on a case-by-case basis, whether the law of the destination country ensures adequate protection of personal data under EU law.
A great deal rides on finding a sustainable way forward Companies are developing and implementing “adequate additional measures” to safeguard data transfers. In addition, government institutions in the U.S. and the EU have been hard at work to respond to the ruling. But there is more to be done.
This project brings together U.S. and European experts and practitioners from the government, the private sector, and civil society to develop practical, actionable recommendations for ensuring the viability of transatlantic data flows in light of the Schrems II decision.
We recently launched Privacy Across Borders (PAB) to showcase our work with this project. This website hosts a guide with legal resources to understand the Schrems II case. PAB also publishes weekly blog posts discussing issues and potential solutions to cross-border data transfers, especially those at the convergence of technology, privacy, and security.
Alex Joel, TLS Scholar-in-Residence and former chief privacy, civil liberties, and transparency officer for the Office of the Director of National Intelligence, is leading this project. Shanzay Pervaiz is the Senior Researcher supporting the project.