
Under the General Data Protection Regulation (GDPR), the European Union (EU) requires that EU organisations may only transfer personal data outside of the EU to jurisdictions with a minimum standard for the protection of personal data.
Previously, there was an agreement between the EU and the United State (US) known as the Privacy Shield Agreement. However, the Schrems II case identified that the EU-U.S. Privacy Shield Agreement was invalid because it didn’t meet the standard of data protection as guaranteed by the General Data Protection Regulation (GDPR). It was ruled that the provisions of U.S. laws do not satisfy requirements that are essentially equivalent to those required under EU law. This meant that organisations involved in the transfer of personal data to the US needed to utilise Standard Contractual Clauses to hold the data recipient to the standard of GDPR by way of contract. This is cumbersome and high risk.