At 9:30 a.m. Central European Time, privacy professionals around the world were refreshing their browsers to read the long-awaited judgment of the Court of Justice of the European Union (CJEU) principally addressing the viability of Standard Contractual Clauses (SCCs) and the EU-U.S. Privacy Shield (Privacy Shield) as means to transfer personal data from the European Union (EU) to the United States (U.S.).
When the judgment arrived, it landed with a bang: though the CJEU upheld the use of SCCs, it invalidated the Privacy Shield, the well-known mechanism to transfer personal data from the EU to the U.S. The decision also cast doubt on the viability of other options, including SCCs, for making transatlantic transfers.
The foundation of this decision and previous decisions affirming challenges to U.S. privacy practices is that the protection of personal data is a fundamental right in the EU, akin to a constitutional right in the U.S. The General Data Protection Regulation (GDPR) enshrined these fundamental rights and established uniform data protection standards across the EU designed to protect the personal data of EU-based individuals.