The EU court decision in the Schrems II case that effectively kills the Privacy Shield pact hammered out four years ago between the U.S. and EU could cripple multinational companies' ability to operate as they scramble to scrutinize their data transfer mechanisms.

“This is a stunning and completely unexpected decision. In invalidating the Privacy Shield framework, the European Court of Justice has jeopardized the ability of thousands of companies to do business in the EU,” said Lisa Sotto, head of the global privacy and cybersecurity practice at Hunton Andrews Kurth. “This decision not only topples a well-ensconced data transfer regime that is relied on by over 5,000 U.S. companies, but it also calls into question the ability of multinational companies to transfer data to the U.S. under any mechanism.” 

But Steve Durbin, managing director of the Information Security Forum (ISF), said Schrems II “was always going to be a major test for the Privacy Shield,” so for many, the decision “has come as no surprise that the European Court of Justice has responded in this way,” considering the jumble of state privacy laws currently governing personal data in the U.S.

Please register to continue.

Already registered? Log in.

Once you register, you'll receive:

  • News analysis

    The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.

  • Archives

    Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.

  • Daily Newswire

    SC Media’s essential morning briefing for cybersecurity professionals.

  • Learning Express

    One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.