{"id":1208,"date":"2021-11-19T14:30:00","date_gmt":"2021-11-19T14:30:00","guid":{"rendered":"https:\/\/www.cookiebot.com\/en\/?p=1208"},"modified":"2026-03-12T08:20:21","modified_gmt":"2026-03-12T08:20:21","slug":"schrems-ii-privacy-shield","status":"publish","type":"post","link":"https:\/\/www.cookiebot.com\/us\/schrems-ii-privacy-shield\/","title":{"rendered":"Schrems II and beyond: EU-US international data transfers"},"content":{"rendered":"\n<p>On July 16, 2020, the<a href=\"https:\/\/curia.europa.eu\/jcms\/jcms\/j_6\/en\/\" target=\"_blank\" rel=\"noreferrer noopener\"> Court of Justice of the European Union (CJEU)<\/a> struck down the EU-U.S. Privacy Shield Framework (Privacy Shield), a key mechanism that facilitated personal data transfers between the EU and the US under the<a href=\"https:\/\/www.cookiebot.com\/en\/gdpr\/\"> General Data Protection Regulation (GDPR)<\/a>.<\/p>\n\n\n\n<p>This decision, commonly known as Schrems II, highlighted the inadequacy of US privacy protections compared with EU standards, raising concerns about US surveillance practices and deeming the US a non-adequate country for personal data transfers from the EU.<\/p>\n\n\n\n<p>The <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/eu-us-data-privacy-framework\/\" target=\"_blank\" rel=\"noreferrer noopener\">EU-U.S. Data Privacy Framework<\/a>, adopted on July 10, 2023, emerged as a crucial development and aimed to address the CJEU's concerns by providing stronger safeguards and a clear legal pathway for data transfers between the EU and US.<\/p>\n\n\n\n<p>We look at the immediate impact of the Schrems II case and how it has shaped international data transfers under the GDPR.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-is-the-schrems-ii-case\">What is the Schrems II case?<\/h2>\n\n\n\n<p>Schrems II is a landmark ruling by the CJEU based on a 2015 complaint by Austrian privacy advocate Maximilian Schrems against Facebook Ireland Limited. Schrems brought the case before the Irish Data Protection Authority, challenging the use of Standard Contractual Clauses (SCCs) for data transfers to the US. The Irish High Court escalated the case to the CJEU in 2018.<\/p>\n\n\n\n<p>In its judgment, the CJEU addressed two main aspects related to data transfers between the EU and US: the SCCs and the Privacy Shield.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large is-style-cb-rounded\"><img loading=\"lazy\" decoding=\"async\" height=\"513\" width=\"770\" src=\"https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2021\/11\/Schrems-II-case.svg\" alt=\"Schrems II case\" class=\"wp-image-14568\" srcset=\"https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2021\/11\/Schrems-II-case.svg?v=af5e79267c269657 150w, https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2021\/11\/Schrems-II-case.svg?v=af5e79267c269657 300w, https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2021\/11\/Schrems-II-case.svg?v=af5e79267c269657 768w, https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2021\/11\/Schrems-II-case.svg?v=af5e79267c269657 1024w, https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2021\/11\/Schrems-II-case.svg?v=af5e79267c269657 770w\" sizes=\"auto, (max-width: 770px) 100vw, 770px\" \/><\/figure>\n\n\n\n<p>While the CJEU upheld the SCCs as a valid mechanism for data export under<a href=\"https:\/\/gdpr.eu\/article-46-appropriate-safeguards-personal-data-transfers\/\" target=\"_blank\" rel=\"noreferrer noopener\"> Art. 46 GDPR<\/a>, it required that organizations conduct thorough assessments to ensure data transfers meet EU standards regarding appropriate safeguards, enforceable rights, and effective legal remedies. This includes a case by case review of the legal framework of the recipient country and the specific terms of the SCCs involved.<\/p>\n\n\n\n<p>In its evaluation of the Privacy Shield, the CJEU held that the US does not offer protection equivalent to EU standards, primarily due to two reasons:<\/p>\n\n\n\n<ul style=\"background-color:#f2f7fe\" class=\"wp-block-list cb-rounded has-background\">\n<li>invasive surveillance programs that are not limited to what is strictly necessary and proportional, as required by EU law<\/li>\n\n\n\n<li>the ineffective redressal mechanism provided by the Privacy Shield Ombudsperson, which lacked the authority to make binding decisions on US intelligence services, undermining the role as a protective measure for EU citizens<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-immediate-impact-of-the-schrems-ii-judgment\">Immediate impact of the Schrems II judgment<\/h2>\n\n\n\n<p>The immediate invalidation of the Privacy Shield by the Schrems II judgment left no grace period for businesses relying on the framework for transatlantic data transfers. This sudden change forced businesses to reevaluate and adjust their data handling practices. In response to these new compliance challenges, many companies shifted towards alternative legal mechanisms, such as Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs).<\/p>\n\n\n\n<p>These alternatives became essential tools in bridging the gap left by the Schrems II ruling, enabling ongoing data transfers while companies worked to align with new regulatory expectations.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-the-european-commission-s-updated-sccs\">The European Commission\u2019s updated SCCs\u00a0<\/h3>\n\n\n\n<p>On June 4, 2021, the European Commission (EC)<a href=\"https:\/\/ec.europa.eu\/commission\/presscorner\/detail\/en\/ip_21_2847\/\" target=\"_blank\" rel=\"noreferrer noopener\"> adopted two new sets of standard contractual clauses<\/a> to replace the Privacy Shield data transfer framework: one set<a href=\"https:\/\/ec.europa.eu\/info\/law\/law-topic\/data-protection\/publications\/standard-contractual-clauses-controllers-and-processors\/\" target=\"_blank\" rel=\"noreferrer noopener\"> for controllers and processors<\/a>, and another<a href=\"https:\/\/ec.europa.eu\/info\/law\/law-topic\/data-protection\/international-dimension-data-protection\/standard-contractual-clauses-scc\/standard-contractual-clauses-international-transfers_en\/\" target=\"_blank\" rel=\"noreferrer noopener\"> for transferring personal data to third countries<\/a>.<\/p>\n\n\n\n<p>Among other things, the 2021 EC SCCs:<\/p>\n\n\n\n<ul style=\"background-color:#f2f7fe\" class=\"wp-block-list cb-rounded has-background\">\n<li>enable transfers of personal data between the EU and any third country (non-adequate under the GDPR) and clear away the need for a separate data processing agreement (DPA) and signed SCC<\/li>\n\n\n\n<li>have provisions to ensure that local laws do not prevent compliance with the SCCs, such as assessments by the data importer<\/li>\n\n\n\n<li>require additional data protection safeguards, such as protection against data breaches, ensuring confidentiality, pseudonymization of sensitive data, and storage and purpose limitation, among others<\/li>\n\n\n\n<li>prescribe conditions by which third parties outside the EU can receive personal data, such as if the third party is in a country with an adequacy decision or the transfer of data is necessary to protect the vital interests of the data subject or of another natural person<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-decisions-of-various-eu-data-protection-authorities\">Decisions of various EU Data Protection Authorities<\/h3>\n\n\n\n<p>Following the Schrems II ruling, Data Protection Authorities (DPAs) across various EU countries heightened their scrutiny of data transfers, affecting international operations for businesses using major US-based services like<a href=\"https:\/\/usercentrics.com\/knowledge-hub\/google-analytics-and-gdpr-compliance-rulings\/\" target=\"_blank\" rel=\"noreferrer noopener\"> Google Analytics<\/a>.The DPAs of Austria, France, Italy, the Netherlands, Norway, Denmark, and Sweden, and even the European Parliament, all concluded that, without additional safeguards, these data transfers did not provide adequate protections for personal data under EU law standards, reflecting the broader enforcement trend initiated by the Schrems II decision.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large is-style-cb-rounded\"><img loading=\"lazy\" decoding=\"async\" height=\"513\" width=\"770\" src=\"https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2021\/11\/Decisions-of-various-EU-Data-Protection-Authorities.svg\" alt=\"\" class=\"wp-image-14570\" srcset=\"https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2021\/11\/Decisions-of-various-EU-Data-Protection-Authorities.svg?v=b6c07cb697ed1ff0 150w, https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2021\/11\/Decisions-of-various-EU-Data-Protection-Authorities.svg?v=b6c07cb697ed1ff0 300w, https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2021\/11\/Decisions-of-various-EU-Data-Protection-Authorities.svg?v=b6c07cb697ed1ff0 768w, https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2021\/11\/Decisions-of-various-EU-Data-Protection-Authorities.svg?v=b6c07cb697ed1ff0 1024w, https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2021\/11\/Decisions-of-various-EU-Data-Protection-Authorities.svg?v=b6c07cb697ed1ff0 770w\" sizes=\"auto, (max-width: 770px) 100vw, 770px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-the-eu-u-s-data-privacy-framework-a-new-solution\">The EU-U.S. Data Privacy Framework: a new solution<\/h2>\n\n\n\n<p>In the absence of an adequacy decision after the Schrems II ruling, personal data could only be transferred to the US based on the EC SCCs or BCRs.<\/p>\n\n\n\n<p>On July 10, 2023, the EC adopted its adequacy decision for the<a href=\"https:\/\/usercentrics.com\/knowledge-hub\/eu-us-data-privacy-framework\/\" target=\"_blank\" rel=\"noreferrer noopener\"> EU-U.S. Data Privacy Framework<\/a>, a Privacy Shield replacement that gave businesses a mechanism for transatlantic data transfers that are consistent with EU law.<\/p>\n\n\n\n<p>The Data Privacy Framework aims to address the deficiencies highlighted by the Schrems II decision, focusing on enhanced data protection and accountability measures.&nbsp;<\/p>\n\n\n\n<p>US companies must self-certify their compliance with the principles of the Data Privacy Framework. The EC now deems data transfers from the EU and European Economic Area (EEA) to self-certified companies as having an adequate level of protection as required by EU law without needing additional safeguards under Art. 46 GDPR.<\/p>\n\n\n\n<p>However, for companies not included in the<a href=\"https:\/\/www.dataprivacyframework.gov\/list\" target=\"_blank\" rel=\"noreferrer noopener\"> Data Privacy Framework List<\/a>, or those that have not renewed their certification, which is required annually, data transfers require additional data protection safeguards in accordance with the GDPR.\u00a0<\/p>\n\n\n\n<p>Data exporters in the EU and EEA are also tasked with verifying that the US company\u2019s self-certification is active before proceeding with any data transfers, ensuring all legal requirements are met for the protection of personal data.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-role-of-transfer-impact-assessments-in-international-data-transfers\">Role of Transfer Impact Assessments in international data transfers<\/h2>\n\n\n\n<p>Organizations that transfer personal data outside the EU must comply with the GDPR and the<a href=\"https:\/\/eur-lex.europa.eu\/eli\/reg\/2018\/1725\/oj\" target=\"_blank\" rel=\"noreferrer noopener\"> EU Charter of Fundamental Rights<\/a> and, as a first step, assess whether the international transfer is to a country with an adequate level of protection to that provided in the EU\/EEA.<\/p>\n\n\n\n<p>The European Data Protection Supervisor (EDPS) recommends that these organizations, which are data controllers under the GDPR, carry out a<a href=\"https:\/\/www.edps.europa.eu\/data-protection\/data-protection\/reference-library\/international-transfers_en\" target=\"_blank\" rel=\"noreferrer noopener\"> Transfer Impact Assessment (TIA)<\/a> for this purpose.<\/p>\n\n\n\n<p>According to the EDPS, data controllers should refer to recommendations from the<a href=\"https:\/\/www.edpb.europa.eu\/edpb_en\" target=\"_blank\" rel=\"noreferrer noopener\"> European Data Protection Board (EDPB)<\/a> when carrying out a TIA, namely:<\/p>\n\n\n\n<ul style=\"background-color:#f2f7fe\" class=\"wp-block-list cb-rounded has-background\">\n<li><a href=\"https:\/\/www.edpb.europa.eu\/system\/files\/2021-06\/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">recommendations 01\/2020 on supplementary measures<\/a>, a five-step guide for companies and organizations<\/li>\n\n\n\n<li><a href=\"https:\/\/www.edpb.europa.eu\/sites\/default\/files\/files\/file1\/edpb_recommendations_202002_europeanessentialguaranteessurveillance_en.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">recommendations 02\/2020 on European Essential Guarantees<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.edpb.europa.eu\/sites\/default\/files\/files\/file1\/edpb_guidelines_202002_art46guidelines_internationaltransferspublicbodies_v2_en.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">guidelines for transfers of personal data between EEA and non-EEA public authorities and bodies<\/a><\/li>\n<\/ul>\n\n\n\n<p>There is no specified format for conducting a TIA. France\u2019s National Commission on Informatics and Liberty (CNIL) published a<a href=\"https:\/\/www.cnil.fr\/sites\/cnil\/files\/2024-01\/draft_practical_guide_transfer_impact_assessment.pdf\" target=\"_blank\" rel=\"noreferrer noopener\"> draft guide<\/a> that data controllers may use as a starting point.<\/p>\n\n\n\n<p>It is also recommended to consult a Data Protection Officer, if appointed, when conducting a TIA.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-edpb-recommendations-for-data-transfers-outside-eu\">EDPB recommendations for data transfers outside EU<\/h2>\n\n\n\n<p>On June 18, 2021, the EDPB adopted updated recommendations on supplementary measures for safe transfers of personal data outside of the EU. The<a href=\"https:\/\/edpb.europa.eu\/system\/files\/2021-06\/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.pdf\"> five-step guide<\/a> aimed to deliver clarity to the industry confusion that existed since the Schrems II ruling struck down the Privacy Shield.<\/p>\n\n\n\n<p>Although the Data Privacy Framework has been in place since July 2023, it applies only to transfers to organizations that are on the Data Privacy Framework List. The EDPB recommendations help website owners and operators navigate the legal ocean of sending data outside of the EU to non-adequate countries, as well as to US organizations not covered by the Data Privacy Framework, while ensuring that the data remains protected.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-step-1-know-your-transfers\">Step 1: Know your transfers<\/h3>\n\n\n\n<p>You need to know where in the world your website \u2014 or, more specifically, the third-party cookies or trackers in use on your site, for example \u2014 sends end-user personal data to. This is key to everything else, because if you find out that your website is sending personal data from users to a non-adequate country, you must take additional steps to ensure compliance.&nbsp;<\/p>\n\n\n\n<p>If your website is sending data to the US, check to see if the company you are sending to is on the Data Privacy Framework List, or if you need to take additional safeguards to transfer the data compliantly.<\/p>\n\n\n\n<p>You must also take into account onward transfers to any third party outside the EEA. These onward transfers must be compliant with the GDPR rules for international data transfers.<\/p>\n\n\n\n<p>A website scanner can help you map out your data transfers. Website scanners like Cookiebot\u2122 cookie checker can automatically detect all cookies and trackers in use on your site and give you a detailed report on what parties and where in the world your website sends data.<\/p>\n\n\n<div class=\"cta-block cta-block--size-s cta-block--only-buttons cb-ctx--blue\">\n        <div class=\"cta-block__glass\">\n        <div class=\"cta-block__inner\">\n            <div class=\"cta-block__left-column\">\n                                                                    <div class=\"cta-block__description like-text-md\">\n                        <p ><strong>Scan your website for free to know to which countries you are sending personal data.<\/strong><\/p>\n                    <\/div>\n                                                                                                                                                        <\/div>\n                            <div class=\"cta-block__right-column\">\n                                                                <div class=\"cta-block__buttons\">\n                                                    <div class=\"cta-block__buttons__button-wp\">\n                                <a id=\"15265c69-b174-4043-86ab-0675348ec2e8\" class=\"cb-button cb-button-size-l cb-button-contained  no-default-link-decoration cb-button-icon-right cta-block__buttons__button\" href=\"\/en\/cookie-checker\/\" target=\"_blank\">\n<span>Scan now<\/span><\/a>\n                                                            <\/div>\n                                                                        <\/div>\n                                                        <\/div>\n                    <\/div>\n    <\/div>\n<\/div>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-step-2-examine-how-you-send-data\">Step 2: Examine how you send data<\/h3>\n\n\n\n<p>Once you have an overview of where in the world your website sends personal data, step two of the EDPB recommendations is to make sure that you use the right transfer mechanisms or transfer tools.<\/p>\n\n\n\n<p>If your website sends personal data to countries with an EU adequacy agreement, you don't need to take any further steps regarding these data transfers.<\/p>\n\n\n\n<p>But if your website is also sending personal data to countries without an EU adequacy agreement, or to a US company that isn\u2019t on the Data Privacy Framework List, you need to make sure that your website uses one of the transfer tools listed in<a href=\"https:\/\/gdpr-info.eu\/art-46-gdpr\/\" target=\"_blank\" rel=\"noreferrer noopener\"> Art. 46 GDPR<\/a>.\u00a0<\/p>\n\n\n\n<p>In these cases, alternative GDPR-compliant transfer mechanisms like SCCs or BCRs need to be in place for data transfers.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-step-3-assess-if-the-data-will-be-protected-after-you-send-it\">Step 3: Assess if the data will be protected after you send it<\/h3>\n\n\n\n<p>Evaluating whether a country has laws or privacy practices in place that can guarantee an equivalent level of data protection for your website's users and their personal data is step three in the EDPB recommendations guide.<\/p>\n\n\n\n<p>This step might seem a bit tricky, as you may not be familiar with different data protection laws in other countries. Here is where the EDPB's Essential Guarantees can help you determine a country's level of data protection.<\/p>\n\n\n\n<p>The EU Essential Guarantees can help you get an overview of how to conduct such an evaluation, such as looking for whether:<\/p>\n\n\n\n<ul style=\"background-color:#f2f7fe\" class=\"wp-block-list cb-rounded has-background\">\n<li>data processing in the country is based on clear, precise, and accessible rules<\/li>\n\n\n\n<li>legitimate objectives for processing the data are demonstrated in accordance with EU law\u2019s requirements for necessity and proportionality<\/li>\n\n\n\n<li>the country has an independent oversight mechanism or supervisory authority, such as a Data Protection Authority<\/li>\n\n\n\n<li>your users have legal remedies to pursue if their GDPR-secured rights have been violated<\/li>\n<\/ul>\n\n\n\n<p>Annex 3 of the EDPB updated recommendations on supplementary measures also contains a list of possible sources of information to assess a third country for your reference. It contains a detailed list of requirements to consider in the specific circumstances of each transfer.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large is-style-cb-rounded\"><img loading=\"lazy\" decoding=\"async\" height=\"513\" width=\"770\" src=\"https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2021\/11\/Data-protection.svg\" alt=\"\" class=\"wp-image-14573\" srcset=\"https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2021\/11\/Data-protection.svg?v=07dff9f36dfd9576 150w, https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2021\/11\/Data-protection.svg?v=07dff9f36dfd9576 300w, https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2021\/11\/Data-protection.svg?v=07dff9f36dfd9576 768w, https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2021\/11\/Data-protection.svg?v=07dff9f36dfd9576 1024w, https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2021\/11\/Data-protection.svg?v=07dff9f36dfd9576 770w\" sizes=\"auto, (max-width: 770px) 100vw, 770px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-step-4-adopt-additional-data-transfer-protections\">Step 4: Adopt additional data transfer protections<\/h3>\n\n\n\n<p>If you discover that your website sends personal data from end users to a country that is not recognized as having an adequate level of data protection, or that your Art. 46 GDPR transfer tool is ineffective, step four of the EDPB recommendations maps out how you can ensure additional security around your data transfers so that they meet EU standards of equivalence.<\/p>\n\n\n\n<p>These supplementary measures in the EDPB recommendations include:<\/p>\n\n\n\n<ul style=\"background-color:#f2f7fe\" class=\"wp-block-list cb-rounded has-background\">\n<li>technical safeguards (such as encryption protocols and pseudonymization)<\/li>\n\n\n\n<li>contractual safeguards (such as importer transparency commitments, enhanced audits, and requiring specific technical measures)<\/li>\n\n\n\n<li>organizational measures (such as internal transfer governance policies and data minimization)<\/li>\n<\/ul>\n\n\n\n<p>Annex 2 of the EDPB updated recommendations on supplementary measures contains detailed examples and use cases to consider.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-steps-5-and-6-document-and-reassess\">Steps 5 and 6: Document and reassess<\/h3>\n\n\n\n<p>In steps five and six of the EDPB recommendations, you are encouraged to document your data transfer practices and how you ensure adequate protection for your website's end users.<\/p>\n\n\n\n<p>You are also encouraged to reevaluate your data transfer practices at appropriate intervals to make sure that you're always up to date on the latest developments in the countries to which you send personal data.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-next-steps-in-gdpr-compliant-data-transfers-to-the-us\">Next steps in GDPR-compliant data transfers to the US<\/h2>\n\n\n\n<p>Data privacy laws are continuously adapting to technological advancements and new legal precedents. The Schrems I judgment invalidated Safe Harbor, which was the predecessor of the Privacy Shield. The Schrems II decision invalidated the Privacy Shield, leaving the EU and US without an adequacy agreement until the Data Privacy Framework, which itself mandates annual reviews to assess its effectiveness and identify areas for improvement.<\/p>\n\n\n\n<p>Businesses should monitor developments related to the Data Privacy Framework, in particular its annual reviews, to anticipate and adapt to changes that may impact their data transfer strategies. Businesses should also regularly check for updates from the EDPB and local DPAs of the various EU member states, which often release guidelines and announcements related to the use of<a href=\"https:\/\/www.cookiebot.com\/en\/tracking-cookies\/\"> tracking cookies<\/a> to collect personal data.<\/p>\n\n\n\n<p>It is also recommended to consult qualified legal professionals and data privacy experts, such as Data Protection Officers, who can provide valuable insights into the complexities of data transfer laws and help integrate the latest legal changes into your data management practices.<\/p>\n\n\n\n<p><em>Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.<\/em><\/p>\n\n\n\n\n","protected":false},"excerpt":{"rendered":"<p>On July 16, 2020, the Court of Justice of the European Union (CJEU) struck down the EU-U.S. Privacy Shield Framework (Privacy Shield), a key mechanism that facilitated personal data transfers between the EU and the US under the General Data Protection Regulation (GDPR). This decision, commonly known as Schrems II, highlighted the inadequacy of US [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":14581,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":true,"editor_notices":[],"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1208","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"acf":[],"thumbnail_status":false,"thumbnail_url":"https:\/\/www.cookiebot.com\/us\/wp-content\/uploads\/sites\/8\/2021\/11\/cb_some_post_1200x630schremsII_202407.jpg","_links":{"self":[{"href":"https:\/\/www.cookiebot.com\/us\/wp-json\/wp\/v2\/posts\/1208","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cookiebot.com\/us\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cookiebot.com\/us\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cookiebot.com\/us\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cookiebot.com\/us\/wp-json\/wp\/v2\/comments?post=1208"}],"version-history":[{"count":0,"href":"https:\/\/www.cookiebot.com\/us\/wp-json\/wp\/v2\/posts\/1208\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.cookiebot.com\/us\/wp-json\/wp\/v2\/media\/14581"}],"wp:attachment":[{"href":"https:\/\/www.cookiebot.com\/us\/wp-json\/wp\/v2\/media?parent=1208"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cookiebot.com\/us\/wp-json\/wp\/v2\/categories?post=1208"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cookiebot.com\/us\/wp-json\/wp\/v2\/tags?post=1208"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}