Policy Briefing — Schrems II voids Privacy Shield and tightens SCC due diligence

Executive briefing: The Court of Justice held that Commission Decision 2016/1250 (Privacy Shield) was invalid because U.S. surveillance laws and redress mechanisms failed to provide EU-essentially equivalent protections. Standard Contractual Clauses remain valid but oblige controllers to verify third-country law, implement additional measures, and suspend transfers where protections fall short.^{Judgment paras. 199–203, 134–146}

Programme steps

• Re-paper transfers. Replace Privacy Shield references with SCCs and document transfer impact assessments addressing FISA 702 and EO 12333 access.
• Supplementary controls. Implement encryption, key separation, and access logging aligned with EDPB Recommendations 01/2020.
• Regulator dialogue. Prepare evidence packs for DPAs showing assessment outcomes and suspension triggers for high-risk destinations.

Sources

• CJEU Judgment C-311/18 (Schrems II)
• CJEU press release No. 91/20

Related briefings

Curated signals from the same pillar or overlapping topics.

Policy · Credibility 92/100 · June 4, 2021

Policy Briefing — EU Updates Standard Contractual Clauses

The European Commission adopted new modular Standard Contractual Clauses for GDPR-compliant international data transfers following Schrems II.

Policy · Credibility 88/100 · January 2, 2022

Policy Briefing — UAE Personal Data Protection Law Commences

The UAE Personal Data Protection Law entered into force on 2 January 2022, triggering enterprise-wide data governance, board oversight, and vendor sourcing programmes ahead of Executive Regulation enforcement.

Policy · Credibility 90/100 · March 7, 2024

Policy Briefing — India Publishes Draft DPDP Rules for Consultation

India’s Ministry of Electronics and Information Technology released draft Digital Personal Data Protection Rules on 7 March 2024, outlining consent, notice, and cross-border transfer obligations ahead of the DPDP Act’s…

Policy · Credibility 90/100 · July 16, 2020

Policy Briefing — CJEU Schrems II Decision

Authoritative guide to the CJEU’s Schrems II decision, why the EU-U.S. Privacy Shield was invalidated, how to harden SCC-based transfers with supplementary measures, and the 90-day compliance actions to maintain lawful…

Policy · Credibility 91/100 · July 1, 2020

Policy Briefing — California begins CCPA enforcement on July 1, 2020

The California Department of Justice started enforcing the California Consumer Privacy Act on July 1, requiring businesses to honor access, deletion, opt-out, and notice obligations despite pending regulation approvals.

Continue in the Policy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Semiconductor Industrial Strategy Policy Guide — Zeph Tech

  Coordinate CHIPS and Science Act, EU Chips Act, and Defense Production Act programmes with capital planning, compliance, and supplier readiness.

• Digital Markets Compliance Guide — Zeph Tech

  Implement EU Digital Markets Act, EU Digital Services Act, UK Digital Markets, Competition and Consumers Act, and U.S. Sherman Act requirements with cross-functional operating…

• Export Controls and Sanctions Policy Guide — Zeph Tech

  Integrate U.S. Export Control Reform Act, International Emergency Economic Powers Act, and EU Dual-Use Regulation requirements into trade compliance, engineering, and supplier…