EU–US Privacy Shield ruled invalid by the European Court of Justice

The ECJ (European Court of Justice) has declared that the EU–US Privacy Shield fails to protect people’s rights to privacy and data protection.

The Privacy Shield was adopted in 2015 as way for organisations on both sides of the Atlantic to transfer personal data for commercial reasons.

It was intended to address the failures of its predecessor, Safe Harbor, which had been deemed invalid by the ECJ following legal action from the Austrian privacy activist Max Schrems.

Schrems also led the case against the Privacy Shield, saying that: “It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a role in the EU market”.

What does this mean for transatlantic data transfers?

European data protection law states that personal data can only be transferred outside the EU if appropriate safeguards are in place.

The Privacy Shield ostensibly ensured that those safeguards were in place, but the ECJ has ruled that the US government’s mass surveillance practices contradict those protections.

The 5,000 or so organisations that currently use the framework will now have to rely on standard contractual clauses, which are currently used for data transfers between the EU and the rest of the world.

Schrems also challenged the validity of these, and although the ECJ chose not to abolish them, it did restrict their applicability.

Organisations and regulators must conduct case-by-case analyses of standard contractual clauses to determine whether protections concerning government access to data meet EU standards, thus casting doubt on how valid they will be for data transfers between the EU and the US.

Privacy trade war

Jonathan Kewley, co-head of technology at the law firm Clifford Chance, described the ruling as “a bold move by Europe”.

He added that “What we are seeing here looks suspiciously like a privacy trade war, where Europe is saying their data standards can be trusted but those in the US cannot.”

Meanwhile, Estelle Massé, Senior Policy Analyst at Access Now, said it was “irresponsible” of lawmakers to adopt the Privacy Shield in the first place, from both from a legal and political perspective.

“We hope that, this time, the European Commission draws the necessary conclusions from the ruling and works on all the necessary reforms,” she added.

How should you transfer data?

The European Court of Justice’s ruling will leave many data protection managers scratching their heads at how they are now supposed to make transatlantic data transfers.

Although there are detailed rules in place, we wouldn’t be surprised if you were unsure exactly how these work and fear making a costly mistake.

That’s where the EU–US GDPR Data Transfer Assessment and Action Plan helps. Delivered by our sister company IT Governance, this service provides practical, step-by-step guidance to ensure that your data transfers to and from the US remain GDPR compliant.

Find out more