EU High Court Invalidates EU-US Privacy Shield Framework

Written by: Brett Lawrence, Esq.

On July 16, 2020, the Court of Justice of the European Union (“CJEU”), Europe’s top court, struck down the EU-US Privacy Shield Framework. The Privacy Shield was created to allow businesses to transfer personal data to the United States from the European Union (“EU”).

The CJEU premised its decision invalidating the Privacy Shield on the inherent conflict between US national security, public, and law enforcement interests and a person’s fundamental rights to the privacy, safety, and  control of their personal data. Although the Privacy Shield ostensibly resolved this conflict, the CJEU disagreed. The CJEU reasoned that, because of the significant limitations for a person in the US to protect their data and the ease with which US public authorities can access and use such data, the Privacy Shield did not afford “a level of protection essentiality equivalent to that guaranteed within the EU” by the General Data Protection Regulation (“GDPR”).

As a result of this decision, numerous contracting businesses that have relied on the Privacy Shield must now look to other mechanisms under the GDPR to transfer data outside of the EU to the US.

However, while the Privacy Shield has been deemed invalid, the CJEU clarified that Standard Contract Clauses (“SCC”)—which are non-negotiable contracts adopted by the EU Commission—remain valid and enforceable. But the CJEU also emphasized that it is incumbent on the data exporters and importers to, “prior to any transfer,” determine the level of protection provided by the country where the data is going to be stored. If the protection level is not equivalent to the GDPR, then it is the duty of each member state’s data protection authority to suspend any data transfers taking place via an SCC to non-EU countries where data protection is inferior.

The remaining question now is whether the EU countries’ data protection authorities will start reviewing the validity of current US-based SCCs. In any event, the CJEU’s decision makes clear that, if US businesses want to continue to compete in the EU marketplace, the US government will have to think hard about modifying its privacy laws.

To read the full decision, click the link.

Leave a comment