Big news last week in the privacy world. The European Court of Justice has annulled the EU-US Privacy Shield, the data exchange treaty between the two parties. This ruling follows a complaint by privacy activist Maximilian Schrems (also known from the Schrems I judgment, which annulled the ‘Safe Harbour Decision’). Schrems believes that personal data that is transferred to the United States is not adequately protected, even though this is required by the GDPR.

Key points

  1. Annulment Privacy Shield: The Court holds that “the limitations on the protection of personal data arising from the United States internal regime on access to and use by the United States authorities are not delineated in such a way as to meet requirements which are broadly similar to those laid down in Union law by the principle of proportionality, since the surveillance programmes based on that internal regime are not limited to what is strictly necessary”. Moreover, EU citizens have “no possibility to appeal to a body providing guarantees broadly equivalent to those required by Union law” where the ombudsman mechanism does not provide sufficient certainty. On the basis of this finding, the Court decided to declare the EU-US Privacy Shield invalid.
  2. Confirmation of the validity of Decision 2010/87: The Court additionally confirmed the validity of a standard contractual clause or model agreement adopted by the European Commission. It considers that this Decision contains effective mechanisms to ensure protection in accordance with EU standards. If the provisions are infringed or cannot be complied with, the transfer of data should be suspended or prohibited.
  3. It is up to the supervisory authorities to suspend or prohibit international data transfers where it considers that adequate data protection cannot be ensured.

What are the consequences of the judgment?

According to Schrems and Sophie in ‘t Veld, MEP, it will be difficult for companies to transfer personal data to the United States on the basis of standard contractual clauses as long as US surveillance legislation as it stands is involved. Only when this surveillance law does not apply to the U.S. company to which the personal data is transferred will the standard contractual clauses be applicable. “The enormous power of tech giants does not sit comfortably with many Europeans. Privacy and protection of personal data have gained in importance in recent years. This must now finally be recognised and not ignored by the European Commission and national governments that want to keep their ties with the US strong. The Commission must protect the privacy of European citizens, but leave it to individuals with a lot of courage and perseverance, such as Max Schrems, who enforce our fundamental rights in court.“, says in ‘t Veld. It remains to be seen whether there will be a successor to the EU-US Privacy Shield as we now know it, just as with the ‘Safe Harbour Decision’.

Does your organization transfer personal data to the United States and you do not know how to proceed? Do not hesitate and contact us! We will be pleased to help you further to ensure that you are always in compliance with your obligations to the GDPR.