The European Court of Justice’s recent ruling in Schrems II has invalidated the EU-US Privacy Shield, meaning that companies can no longer rely on this mechanism for transferring personal data (including employee data) from the EU to the US.  Companies transferring data to the US relying on the Privacy Shield (including transfers to a number of the big tech IT service providers registered with the scheme) will now need to scramble to put in place a lawful alternative.

In contrast, the Court of Justice upheld the Standard Contractual Clauses (“SCCs”) as a valid mechanism to transfer personal data to third countries but, importantly, pointed out that both data exporter companies and regulators must ensure that there are mechanisms to suspend or prohibit transfers to third countries where there is a conflict between the SCCs and the laws of that third country.  In practice, this appears to mean that companies need to undertake a level of due diligence prior to any transfer of personal data to a third country where the SCCs are being used, and that recipients of that data have an obligation to tell the exporter where their local laws (for example because of surveillance powers in their jurisdiction) mean that they cannot comply fully with the SCCs.

For further information see the Data Notes blog post here.


Our Data Class Actions team has published an article about the future of class actions in the August 2020 issue of PLC Magazine –

The article first appeared in the August 2020 issue of PLC Magazine

The article follows the Supreme Court’s decision in Various Claimants v WM Morrison Supermarkets Plc  – the first class action following a cyber and data security incident to be heard in the English courts. It discusses the employment aspects of the decision, including the risk of employers being held vicariously liable for an employee’s misuse of data and practical steps to detect and prevent employee misconduct, as well as the implications and outlook for data class actions generally.  For further details see our Cyber and Data Security blog post here.  Our Employment Notes blog post on the original decision is here.