The EU court decision in the Schrems II case that effectively kills the Privacy Shield pact hammered out four years ago between the U.S. and EU could cripple multinational companies’ ability to operate as they scramble to scrutinize their data transfer mechanisms.
“This is a stunning and completely unexpected decision. In invalidating the Privacy Shield framework, the European Court of Justice has jeopardized the ability of thousands of companies to do business in the EU,” said Lisa Sotto, head of the global privacy and cybersecurity practice at Hunton Andrews Kurth. “This decision not only topples a well-ensconced data transfer regime that is relied on by over 5,000 U.S. companies, but it also calls into question the ability of multinational companies to transfer data to the U.S. under any mechanism.”
But Steve Durbin, managing director of the Information Security Forum (ISF), said Schrems II “was always going to be a major test for the Privacy Shield,” so for many, the decision “has come as no surprise that the European Court of Justice has responded in this way,” considering the jumble of state privacy laws currently governing personal data in the U.S.