The decision of the Court of Justice of the European Union in in Case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems, invalidating the use of the Privacy Shield for international data transfers to the United States, has attracted much publicity.  (Links to the decision and other extensive data protection resources are on However, in our experience, most (but not all) American and other law firms with US offices rely on the standard contractual clauses.

However, these too face challenges in the light of the decision.  They cannot simply sign a contract containing standard contractual clauses and leave a copy in the bottom drawer. They also need to bear in mind the need, emphasised in paragraph 133 of the Schrems II decision, for assessment of measures in relation to data transferred to the US, and indeed other jurisdictions where the protection of privacy rights may fall short of those in the EU,          particularly, for example, Hong Kong.

The European Data Protection Board has published Frequently Asked Questions on the decision.   A link can be found on

Meanwhile, we await revised EU standard contractual clauses, updated guidance from the Information Commissioner’s Office, and, of course, news of what steps will need to be taken following the expiry of the transition period under the UK Withdrawal Agreement which maintains the UK’s pre-Brexit arrangements until 31 December 2020.

A link to The Sedona Conference Commentary on Law Firm Data Security, which includes model clauses for engagement letters and a sample law firm information security questionnaire, can be found on

‹ Back to Publications