Global menu

Our global pages


The Court of Justice of the European Union validates Standard Contractual Clauses but invalidates Privacy Shield

  • Ireland
  • Privacy, data protection and cybersecurity


On Thursday 16 July 2020, the Court of Justice of the European Union (CJEU) ruled on two of the key EU legal tools used to transfer personal data outside the EEA.

The CJEU invalidated Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield (the “Privacy Shield”). By annulling the Privacy Shield, the CJEU has, in effect, found that a tool that previously allowed EU based companies to transfer personal data to US based providers in large quantities violates EU law.

While the CJEU invalidated the Privacy Shield, it considered that Commission Decision 2010/87 on standard contractual clauses for the transfer of personal data to processors established in third countries (“SCCs”) is valid. While the use of SCCs was ruled as valid, the CJEU held that data transfers outside the EU must be suspended if the protection of the personal data cannot be ensured (e.g. use of US surveillance).

As this decision will have a far reaching impact for both US and EU based companies, we will continue to review the judgment and provide updated guidance on its impact.

If you have any questions in relation the CJEU’s decision, please feel free to contact a member of the Eversheds Sutherland team:

Marie McGinley, Partner and Head of IP, Technology & DP -

Neasa Ní Ghráda, Senior Associate in IP, Technology & DP -

Kirsty Farrell, Solicitor in Corporate and Commercial -