Alert Author

European Union’s Highest Court Invalidates Privacy Shield

July 17, 2020

Yesterday marked the death of 5,378 companies’ reliance on their EU-US Privacy Shield self-certification in order to comply with the GDPR's adequacy requirement for data transfers from the EU to the US.  

The European Court of Justice (ECJ), the highest court of the European Union (EU), ruled yesterday to invalidate the Privacy Shield, a commonly used legal mechanism to transfer personal data between the EU and U.S. while still complying with the EU’s General Data Protection Regulation (GDPR).  

Privacy Shield, created in 2016, was an important mechanism for U.S. businesses to enable the valid transfer of EU personal data to the United States. Privacy Shield was established in response to a 2015 ECJ ruling that made the previous mechanism, the Safe Harbor principles, invalid.  The aim of Privacy Shield was to ensure that transferred data would receive equivalent protection on both sides of the Atlantic.

The ECJ in its ruling invalidated Privacy Shield on the grounds that it did not offer EU citizens sufficient protection against U.S. government surveillance to satisfy that standard. This is consistent with the ECJ’s previous arguments invalidating the Safe Harbor principles. The other primary mechanism for EU-U.S. data transfers, Standard Contractual Clauses, was not invalidated by the ECJ.  More cumbersome than Privacy Shield, Standard Contractual Clauses currently are the only valid and practicable mechanism businesses can use, since binding corporate rules often require long approvals processes and other costly obstacles. 

Practical Considerations

This ruling will have significant implications for clients’ businesses, and creates uncertainty for any business that until now has relied on the Privacy Shield.  Clients should review transfers of personal data from the EU to the U.S. and ensure they are protected by the Standard Contractual Clauses, which remain valid legal mechanisms to comply with the GDPR.  Transfers of personal data, however, are only one piece of GDPR compliance.  Complete GDPR compliance requires a fact-intensive review of all aspects of business operations, and should be undertaken with the assistance of experienced counsel.