On the morning of 16 July 2020, in a significant decision of the Court of Justice of the European Union (CJEU), the Privacy Shield was held to be invalid.
What is the Privacy Shield
The Privacy Shield was an agreement negotiated in 2016 between the United States Department of Commerce, the European Commission and the Swiss Administration to provide a mechanism for companies to transfer personal data from the European Union and Switzerland to the United States. The Privacy Shield was designed to enable companies to transfer personal data across the Atlantic in accordance with EU data protection law that pre-dated the GDPR.
Companies continued to use the Privacy Shield as a data protection mechanism once the GDPR came into force on 25 May 2018, on the basis that it was adequate under the EU’s 1995 Data Protection Directive that was superseded by the GDPR.
The CJEU decision is a continuation of the Schrems decision that invalidated the predecessor Safe Harbour system (that was similarly intended to allow the free flow of personal data between the EU and US companies).
While not the only mechanism to allow the transfer of data, there are approximately 4000 US companies signed up to Privacy Shield as the means they use to allow the free flow of personal data between the EU and the US. In light of this significant decision, US companies relying on the Privacy Shield should re-assess their data transfer arrangements immediately. As part of this process, companies should re-negotiate data transfer arrangements with their EU counterparts or rely on other mechanisms or exemptions under the GDPR to transfer personal data from the EU to the US.
Standard Contractual Clauses were also examined
The CJEU also examined the validity of Standard Contractual Clauses (SCCs). The SCCs are a set of model contractual terms that can be used between EU based data exporters and non-EU based data importers and are commonly used worldwide for the transfer of personal data outside the EU. The clauses predate the GDPR and have not been updated since the GDPR came into force.
While the CJEC ruled the SCCs are valid, they held that the SCCs should only be construed as a generic baseline for data transfers to any third country not offering an adequate level of data protection, and may be supplemented with additional terms depending on the adequacy of the data protection laws in the data importers country.
What this means for organisations with SCCs included in their contractual arrangements is that reliance on the SCCs, without amendment for local law considerations, may not be a suitable mechanism to validate data transfers between the EU and non EU countries.