The European Court of Justice (“ECJ”) has ruled that the EU-US Privacy Shield is unlawful and invalid.
The Privacy Shield was an agreement between the EU and the US, which governed data transfers between the two territories. In a 2016 decision, the European Commission had found that the protection provided by the Privacy Shield was adequate.
The ECJ invalidated the European Commission’s 2016 decision, finding that the Privacy Shield failed to adequately protect EU citizens’ privacy, with the risk that citizens’ rights under the General Data Protection Regulation (“GDPR”) would be violated. Specifically, the court found, that the protections offered in the Privacy Shield agreement were not “essentially equivalent to those required under EU law”.
The decision follows a 2015 ruling which invalidated a similar data transfer agreement between the EU and the US known as Safe Harbour.
The decision is likely to affect many companies who rely on data transfers between the two territories. Some industry players have voiced concerns about the future of data transfers between the two territories. A number of industry groups, led by the Software Alliance, have reacted by calling for a new, reliable framework for transatlantic data transfers.
However, the ECJ also found that the Standard Contractual Clauses, another mechanism for cross-border data transfers with the US, were lawful in principle, although a case-by-case analysis of the risks inherent in third country data transfers would have to be considered. Companies affected by the decision may therefore be able to switch to relying on this basis for such transfers.
Moreover, article 49 of the GDPR does provide for “necessary” transfers (e.g. transfers which are vital for: the conclusion or performance of a contract, the establishment, exercise or defence of legal claims, protecting the vital interests of the data subject, or for important reasons of public interest) to continue in the absence of an adequacy decision or appropriate safeguards. It will be interesting to see how many companies will seek to rely on this.
In a press statement, the US Secretary of State, Michael Pompeo, has expressed disappointment at the decision and indicated it is “reviewing this outcome and the consequences and implications for more than 5,300 European and U.S. companies, representing millions of transatlantic jobs and over $7.1 trillion in commercial transactions.”
The ECJ’s decision can be found here.
Please contact Jose Saras if you have been affected by the ECJ’s decision, or if you have any questions related to data transfers and data protection regulations.