Court of Justice of the European Union landmark ruling on the transfer of ‘personal’ data out of the EU will impact every business

Posted in Data protection and cybersecurity

In July, the CJEU gave judgment in the case known as Schrems II, a landmark data protection case about how companies can lawfully transfer personal data around the world. Most businesses transfer personal data around the world as part of their everyday activities – perhaps to a back office payroll centre in India or to an AWS server in the US or to a Salesforce CRM.  Now, the legality of these transfers has been challenged and privacy activists are adamant the ruling is followed through in practice. They have indicated that group litigation and the filing of further regulatory complaints will be on the horizon if organisations fail to take the judgment seriously.

The case centred on the transfer of personal data from within the EU to outside of this bloc.  As a general rule, EU data protection law prohibits the transfer of personal data outside of the bloc unless certain safeguarding mechanisms are in place.  The case called these mechanisms into question. The recent decision will affect companies registered within the EU. In addition, businesses outside of the EU that hold personal data concerning citizens who are within it will be impacted too. The judgment will also continue to affect UK businesses even after the end of the UK’s Brexit transition phase.

In short, the CJEU has:

  1. Invalidated the EU/US Privacy Shield scheme.  Privacy Shield was a voluntary scheme that US organisations could participate in which allowed EU organisations to lawfully send personal data to the US.  The European court has now invalidated this scheme because it believes that US national security surveillance powers are excessive and do not meet the requirements of EU law.  Many US service providers (Microsoft, Salesforce, WorkDay, etc.) participated in the scheme so that their EU customers could transfers data to them.
  2. Declared that ‘Standard Contractual Clauses’ (which are standard contracts approved by the European Commission for data transfers between countries in the EU and countries outside it) remain valid BUT the parties to the SCCs must verify on a “case-by-case basis” whether the laws of the country receiving the data afford compliance with EU law, in particular in relation to access to personal data by government authorities.  This could be a very time-consuming and expensive exercise.

For detailed analysis on Schrems II, refer to Norton Rose Fulbright's Data Protection Report blog or click here.  

For more information on the judgment, please click here to watch our recent webinar. 


Turkey offers significant growth potential to international investors and developers, in addition to domestic businesses. Our understanding of the legal, economic and political landscape in Turkey is second to none and we understand that changes impacting your business can arise rapidly and vary significantly across the region.

Through Inside Turkey, we aim to keep you updated on domestic and international developments, as well as providing insights into how to navigate the current market across key industry sectors. Inside Turkey will also feature legal developments outside of Turkey that affect Turkish companies doing business abroad.

Blog Network