Data play a central role in the economy today. Nonetheless, the main trading partner of the United States—the European Union—places restrictions on crossborder transfers of personal data exported from the European Union. Destination countries must benefit from a decision by the European Commission that their data protection practice is “adequate” to import data, or transfer tools must be used to further protect those data. The United States does not benefit from such a decision and an arrangement that previously allowed data to continue to flow to the United States—the Privacy Shield—was invalidated by the Court of Justice of the European Union in 2020 in a case that is known as

Schrems II. 

This study focuses on EU-U.S. personal data transfers. It provides a holistic view of the legal parameters involved in transatlantic data transfer compliance post-Schrems II, relevant developments past and future, and potential compliance actions, supplemented with relevant guidance and an analysis of enforcement actions. Such compliance is considered the most difficult task of privacy professionals today. The aim is to give a fuller understanding in this context of the EU General Data Protection Regulation (GDPR), which sets out the crossborder data transfer restriction, with a view to potential pathways to navigate those challenges.

Following the Introduction, this study dives into both the cross-border transfer restriction contained in the GDPR, and into the Schrems II ruling. EU-U.S. negotiations to try to build a replacement for the Privacy Shield are discussed. A new 2021 version of the standard contractual clauses transfer tool, used to allow data exports, is analyzed. In addition, the requirement to respect the essence of fundamental rights and freedoms set out in the Schrems II judgment is explained. Supplemental measures to ensure data protection and to allow transfers to jurisdictions with problematic legislation, such as the United States (with its surveillance laws), are detailed. Furthermore, European Economic Area data protection enforcement action in the domain of cross-border transfers is studied, including a recent case relating to the use of the popular Google Analytics tracking cookies. Finally, lessons for compliance are drawn, prior to concluding remarks.