CJEU invalidates the EU-US Privacy Shield Framework


17 Jul 2020

In a landmark ruling delivered yesterday by the Court of Justice of the European Union (‘CJEU’), Decision 2016/1250 on the adequacy of the protection provided by the European Union (‘EU’) – United States (‘US’) Privacy Shield has been invalidated. The basis of this ruling is the inadequacy of US laws when it comes to providing a standard of protection equivalent to that offered by the General Data Protection Regulation (‘GDPR’), to the personal data of individuals which is being transferred from the EU to the US. Such inadequacy is essentially the result of US surveillance laws.

This ruling is the outcome of a complaint filed by the well-known privacy activist Max Schrems against Facebook and the Irish Data Protection Commissioner over the insufficient protection of EU citizen’s personal data.

Through this ruling, the CJEU has effectively invalidated data transfer agreements between thousands of corporations (predominantly tech companies) which were relying on the Privacy Shield framework to carry out their usual business activities.

The effects of such a ruling will be felt immediately, as it essentially demotes all transfers of personal data to the US, to the regime that is in place for transfers to third countries which have not been subject to an ‘adequacy decision’ by the EU Commission. However, there is no cause for panic as the CJEU has specifically singled out that the ruling will not create a ‘legal vacuum’ since data flows which are absolutely necessary shall continue pursuant to Article 49 of the GDPR.

The CJEU ruling entails that all organisations which are reliant on the Privacy Shield and thus impacted by this ruling will now need to find another route for compliance with the GDPR when it comes to personal data transfers to the US. One of the most straightforward ways to overcome this challenge will be for all concerned parties to enter into standard contractual clauses ('SCC’s'), ensuring that the personal data being transferred to the US is subject to a level of protection which is equivalent to the standards set out by the GDPR. It is highly encouraging to note that the CJEU has examined and upheld the validity of the SCC’s.

Given the magnitude of this ruling, the long-term effects from both a regulatory as well as a political perspective are difficult to predict, and the situation will need to be closely monitored. In particular, it is likely that this ruling will also have an impact on the ongoing negotiations between the EU and the United Kingdom (‘UK’) with respect to reforming the UK’s surveillance laws, in order for them to obtain an ‘adequacy decision’ deal with the EU Commission by the end of the Brexit transition period.