The Court of Justice of the European Union (CJEU) has has invalidated the US-EU Privacy Shield Agreement. The agreement, which ensured US companies agree to adhere to EU standards on data protection and privacy in return for being able to receive personal data from the EU, has been struck down on the grounds that the US legal system doesn\u2019t provide adequate protection to personal data, especially when it comes to state surveillance.US companies receiving personal data from the EU will now need to find an alternative legal mechanism for receiving data or they will be breaking the law and face potential sanctions under the the EU\u2019s General Data Protection Regulation (GDPR).Privacy Shield goes the way of Safe HarborPrivacy Shield was set up after its predecessor, Safe Harbor, was brought down after a legal challenge from privacy activist Max Schrems. Privacy Shield was challenged because, like Safe Harbor, it didn\u2019t offer enough protections to EU citizen data from US surveillance laws.The CJEU ruled that data protections in the US are not equivalent to those required under EU law because of the \u201climitations on the protection of personal data\u201d along with the access and use of personal data by US public authorities satisfies requirements. The CJEU ruled the current system did not provide data subjects actionable rights before the courts against the US authorities and so should be invalidated.\u201cThis was an unexpected result. For businesses that transfer personal data from the EU to the US, this represents the worst of all possible outcomes,\u201d says Bridget Treacy, data privacy partner at law firm Hunton Andrews Kurth. \u201cBusinesses that relied upon the Privacy Shield will need to assess whether they can utilize SCCs as an alternative data transfer mechanism, but with more proactive scrutiny of the data transfers than previously.\u201d\u201cEU regulators will need to adopt a pragmatic approach to enforcement, allowing businesses a period of grace in which to implement alternative arrangements to the Shield in order to continue to lawfully transfer personal data from the EU to the US. Businesses will expect urgent guidance from regulators on transition arrangements,\u201d Treacy adds.Around 5,000 companies in the US are signed up to the Privacy Shield agreement. According to IAPP research, approximately 60% of companies transferring data out of the EU use Privacy Shield, and there are around 250 European-based companies are participating in the Privacy Shield program.\u201cToday\u2019s decision is nothing short of irresponsible,\u201d says Eline Chivot, senior policy analyst at ITIF's Center for Data Innovation. \u201cIt will immediately upend, and in many cases even halt, data transfers between the EU and the United States, leaving many businesses with no suitable alternative.\u201dStandard contractual clauses remainThe court did rule, however, that standard contractual clauses (SCCs) remain valid. These standardized templates of data protection requirements will be the most likely replacement option for companies affected.\u00a0Over 80% of companies transferring data out of the EU rely on SCCs, according to IAPP.The CJEU ruling noted that assessment of SCC agreements must not only consider the protections guaranteed in the contract, but also the potential for access by authorities of the destination country and the legal system of that third country. It also stated that Data Protection Authorities (DPAs) are \u201crequired to suspend or prohibit a transfer of personal data to a third country\u201d where SCCs are not or cannot be complied with in that country and the protection required by EU law cannot be ensured.\u00a0This leaves companies open to the possibility that local DPAs might invalidate specific SCCs if they feel data could be subject to local surveillance laws that affect EU citizens, and companies subject to surveillance laws such as FISA 702 in the US \u2013 Facebook for example \u2013 may see their SCCs blocked. DPAs have always had the power to invalidate SCCs, but the new ruling will compel them to use that mechanism. It also currently unclear on how DPA will be required to make such assessments on the surveillance regimes of other countries.\u201cSCCs, commonly utilized for transfers around the globe, will be subject to much closer scrutiny by data exporters and by EU regulators,\u201d says Treacy. \u201cTransfers of personal data from the EU to the US will require particular care given comments made by the Court about US surveillance.\u201dBinding corporate rules remain unaffected but are costly and require a lengthy process to put in place and regulatory approval. They are likely an impractical option for all but the largest companies.Even with the fall of Privacy Shield and where no SCCS are in place, personal data can be transferred where \u201cnecessary\u201d \u2013 for example via an email from the data subject or when booking hotels in destination countries etc \u2013 or where the data subject is providing clear consent for a company to move data over to the US. This ruling is most likely to affect companies that pass data from an entity in the EU to the parent company outside the region or to a third party that hosts or processes the data outside the Union.Ruling means more compliance burdens for CISOsCompanies that were reliant on Privacy Shield will likely have to look toward SCCs to ensure they have a legal way to send personal data from the EU to the US. Where Privacy Shield was a single set of compliance requirements for all personal data, SCCs are specific to each data flow, meaning a single organization can have dozens or even hundreds of SCCs in place. There are multiple SCC templates, which gives room for manoeuvre within in them.The data protection requirements between Privacy Shield and SCCs will likely be similar. As blanket coverage will now be replaced with multiple agreements, there is an increased burden of ensuring each data flow is compliant.CISOs should work with their data protection officers (DPOs) and legal department to understand data flows across the company, any data protection demands from SCCs that deviate from those previously in place under Privacy Shield, and ensure the compliance to each is documented in case it is challenged.Where possible it may be beneficial to reassess what data is received from the EU and where it may make more sense for it to remain within the EU territory in order to reduce compliance burdens.\u201cBusinesses that rely on the SCCs will be required to evaluate each data transfer recipient to determine whether the recipient offers an \u2018adequate level of protection,\u2019\u201d advises David Dumont, data privacy partner at Hunton Andrews Kurth. \u201cThis will mean assessing what type of personal data is being transferred, how it will be processed, whether it may be subject to access by government agencies for surveillance purposes and, if so, what safeguards are available.\u201d\u201cMost businesses are not readily able to make those assessments. If a recipient is not able to provide an \u2018adequate level of protection\u2019, EU businesses are required to suspend those data transfers, failing which a regulator may do so. Urgent guidance will be required from data protection regulators as to what practical level of scrutiny they expect from businesses relying on SCCs,\u201d Dumont adds.Nader Henein, fellow and information privacy and research director for Data Protection and Privacy at Gartner, says that many EU-based organizations will have to go through the Privacy Shield list to see which of their vendors use the agreement to receive data from the EU, and either go through contracts to see if they rely on SCCs as well. If not, those organizations will have to put SCCs in place, and there may have to be a suspension of services for a time while those agreements are being made\u201cIf any of those companies [on the Privacy Shield list] serve you then that's a red flag, because potentially they're doing it exclusively rather than in conjunction with standard contractual clauses,\u201d Henein says. \u201cIf they rely exclusively on Privacy Shield, they have a mountain of paperwork to go through. The controls might not need to change, but before signing contracts legal will have will have to go over it.\u201dIn the short term he recommends switching to SCCs were applicable and consider signing BCRs in the long term. And for companies that were reliant on Privacy Shield and may face issues with SCCs due to any surveillance concerns, Henein says those organizations should keep their data in European servers or in another country that has adequacy.Will there be a Privacy Shield\/Safe Harbor 3?Cordery Compliance says there is likely a plan for a replacement framework in the works. However, while it might be a quicker fix than establishing SSCs it might be an unstable agreement. Cordery notes that whatever form a third instance of Privacy Shield\/Safe Harbor takes would be unlikely to survive for long before being challenged in court.Even if the agreement had survived this ruling, it was facing another challenge from the La Quadrature du Net privacy activism group in France. Unless there is reform in the \u00a0US surveillance laws that protect EU citizen data and end authorities\u2019 access to personal data without individual judicial approval or a redress options for non-US data subjects, whatever replaces Privacy Shield will likely be challenged again by these groups.\u201cThe Court clarified for a second time now that there is a clash between EU privacy law and US surveillance law,\u201d said Schrems in a statement. \u201cAs the EU will not change its fundamental rights to please the NSA, the only way to overcome this clash is for the US to introduce solid privacy rights for all people \u2013 including foreigners. Surveillance reform thereby becomes crucial for the business interests of Silicon Valley."