EU-US Privacy Shield Invalid
In a landmark decision made on July 16, 2020, the European Court of Justice (ECJ) has struck down the EU-US Privacy Shield with reference to the European General Data Protection Regulation (GDPR).
The ruling is expected to have a huge impact on the digital economy as it massively affects data transfers between the European Union and the USA. It is the second time the ECJ has ruled against previously established market practice. In 2015, the ECJ already held the previous ruling on the Privacy Shield’s predecessor, the Safe Harbor framework invalid.
The European Union and the USA will now have to negotiate a new framework which meets the requirements as set by the ECJ. In the meantime, companies will have to ensure that they use legally compliant solutions for the transfer of personal data from the European Union to the US
In practical terms, the Standard Contractual Clauses (SCCs) already widely used will probably become even more important. In its landmark decision, the ECJ has generally upheld the principle that SCCs governing the transfer of personal data to processors situated in third countries are acceptable.
However, the ECJ has pointed out that prior to any transfer of personal data both the exporter and the recipient of such personal data have to actually verify whether the level of protection required under the GDPR is adhered to in the third country concerned. In addition, the recipient is obliged to inform the data exporter of any inability to comply with the standard data protection clauses. In such cases, the data transfer might have to be suspended or even terminated.
Under the new ruling, it is now clear that the mere existence of SCCs alone is not sufficient. The parties to such data transfer agreement will also have to adhere to the conditions contained in such SCCs.
Companies who used to transfer data to the US under the Privacy Shield will be strongly affected by the recent ECJ decision and will have to thoroughly evaluate their existing data transfer agreements and - where necessary – will have to evaluate alternatives as to ensure a legally compliant cross-border data transfer.
HEUSSEN’s Data Protection has substantial experience in advising clients in this regard.