With companies no longer able to rely on Privacy Shield for protection, companies have two main options available to them: to localize data storage and/or to strengthen their SCCs.
While confirming that SCCs are valid with the Privacy Shield gone, the CJEU underlined that they can only be relied upon when risks have been properly assessed and cannot amount to a “tickbox exercise.
In a landmark decision for the EU-US data transfer regime, the European Court has struck down the EU-US Privacy Shield but given respite to Standard Contractual Clauses.