August 8, 2022

Volume XII, Number 220


August 08, 2022

Subscribe to Latest Legal News and Analysis

August 05, 2022

Subscribe to Latest Legal News and Analysis

EU Court of Justice Invalidates Privacy Shield

On the morning of 16 July 2020, in a significant decision of the Court of Justice of the European Union (CJEU), the Privacy Shield was held to be invalid.

What is the Privacy Shield

The Privacy Shield was an agreement negotiated in 2016 between the United States Department of Commerce, the European Commission and the Swiss Administration to provide a mechanism for companies to transfer personal data from the European Union and Switzerland to the United States. The Privacy Shield was designed to enable companies to transfer personal data across the Atlantic in accordance with EU data protection law that pre-dated the GDPR.

Companies continued to use the Privacy Shield as a data protection mechanism once the GDPR came into force on 25 May 2018, on the basis that it was adequate under the EU’s 1995 Data Protection Directive that was superseded by the GDPR.

The CJEU decision is a continuation of the Schrems decision that invalidated the predecessor Safe Harbour system (that was similarly intended to allow the free flow of personal data between the EU and US companies).

While not the only mechanism to allow the transfer of data, there are approximately 4000 US companies signed up to Privacy Shield as the means they use to  allow the free flow of personal data between the EU and the US. In light of this significant decision, US companies relying on the Privacy Shield should re-assess their data transfer arrangements immediately. As part of this process, companies should re-negotiate data transfer arrangements with their EU counterparts or rely on other mechanisms or exemptions under the GDPR to transfer personal data from the EU to the US.

Standard Contractual Clauses were also examined

The CJEU also examined the validity of Standard Contractual Clauses (SCCs). The SCCs are a set of model contractual terms that can be used between EU based data exporters and non-EU based data importers and are commonly used worldwide for the transfer of personal data outside the EU. The clauses predate the GDPR and have not been updated since the GDPR came into force.

While the CJEC ruled the SCCs are valid, they held that the SCCs should only be construed as a generic baseline for data transfers to any third country not offering an adequate level of data protection, and may be supplemented with additional terms depending on the adequacy of the data protection laws in the data importers country.

What this means for organisations with SCCs included in their contractual arrangements is that reliance on the SCCs, without amendment for local law considerations, may not be a suitable mechanism to validate data transfers between the EU and non EU countries.

Copyright 2022 K & L GatesNational Law Review, Volume X, Number 199

About this Author

Cameron Abbott, Technology, Attorney, Australia, corporate, KL Gates Law Firm

Mr. Abbott is a corporate lawyer who focuses on technology, telecommunications and broadcasting transactions. He assists corporations and vendors in managing their technology requirements and contracts, particularly large outsourcing and technology procurements issues including licensing terms for SAP and Oracle and major system integration transactions.

Mr. Abbott partners with his clients to ensure market leading solutions are implemented in to their businesses. He concentrates on managing and negotiating complex technology solutions, which...

Claude-Étienne Armingaud, KL Gates, Paris, data protection lawyer, commercial contracts attorney

Claude-Etienne Armingaud’s practice focuses on the representation of public and private companies in the area of information technologies and intellectual property law. Mr. Armingaud provides counsel to his clients at all stages of their corporate life cycle and in wide-ranging transactions, including in connection with litigation compliance matters, intellectual property protection and development, data protection strategic operations, and other commercial contracts.

Mr. Armingaud regularly advises start-up companies in matters relating to...

Rob Pulham Corporate Attorney K&L Gates
Special Counsel

Rob Pulham is an experienced corporate advisory and transactional lawyer with an active technology and privacy practice representing companies in the energy, manufacturing, mining, retail, health and financial services sectors, as well as government and not for profit organisations. He has extensive experience advising customers and vendors in the technology industry, with particular focus on software licensing, data privacy and protection, and systems integration projects. In his role as a senior corporate lawyer, Mr. Pulham reviews organisational policies and practices...

Senior Attorney

Ms. Aggromito is a senior lawyer in the lawyer in the Melbourne commercial technology and sourcing team focusing on IT, privacy and data protection.

Keely O'Dowd, K&L Gates, attorney, Melbourne

Ms. O'Dowd is an experienced lawyer with a focus on technology and sourcing projects. She advises on a broad range of technology transactions, including procurement, outsourcing and software licensing. This work includes drafting and advising on a range of IT procurement and supply agreements. Ms. O'Dowd advises a range of corporations on privacy and cybersecurity.