As soon as the Court of Justice for the European Union announced its decision in the Schrems II case on July 16, 2020 (Data Protection Commissioner v. Facebook Ireland Ltd and Maximillian Schrems), a flurry of opinion and analysis articles appeared. The details of the case have been well covered. Articles such as, “Facebook told it may have to suspend EU data transfers after Schrems II ruling,” and “Why global data flow is under threat, and why Asia is in a strong position to benefit,” and “Companies left dangling until US, EU hash out data protection differences,” have been pouring forth as experts cover the case from nearly every angle.

But I believe a key contract issue remains underreported and underanalyzed. The Schrems II ruling invalidated the oft-used EU Privacy Shield Framework, and as a result, today, your customer contracts may be in a check-mate position as it relates to compliance with laws.