October 21, 2020

Volume X, Number 295

October 21, 2020

Subscribe to Latest Legal News and Analysis

October 20, 2020

Subscribe to Latest Legal News and Analysis

October 19, 2020

Subscribe to Latest Legal News and Analysis

Privacy Shield Invalidated by ECJ

On Thursday, July 16, the European Court of Justice (ECJ) ruled that the EU-US Privacy Shield is invalid. The ruling stems from the complaints filed with the Irish supervisory authority by Max Schrems regarding the transfer of his data from the EU to the US by Facebook. The years long battle first saw the ECJ overturn the Safe Harbor provisions and now results in the overturn of the Privacy Shield, which was created to replace the Safe Harbor.   

The ECJ found the GDPR applies to the transfer and the processing activities of an entity in a third country when the data being processed was transferred to the third country from the EU. The ECJ then found that the transfer mechanism must afford data subjects “a level of protection essentially equivalent to that guaranteed within the EU by the GDPR.” As a result, a transfer mechanism must consider both the protections agreed between the data exporter and the data importer and also the legal system of the third country, specifically the access to the data by public authorities. 

With that analysis in mind, and broadly referencing U.S. laws related to national security, public interest and law enforcement, the ECJ found that the Privacy Shield does not afford rights “essentially equivalent to those required under EU law.” Noting in particular that surveillance programs “are not limited to what is strictly necessary” and therefore do not comply with the principle of proportionality. Additionally, the ECJ took issue with the Ombudsperson mechanism under Privacy Shield, at least in part, because it does not provide data subjects a sufficient cause of action to protect their rights.  

The ECJ also raised the question of the validity of the standard contractual clauses (enacted under Decision 2010/087). For now, the ECJ finds that the standard contractual clauses are valid.  But, the standard contractual clauses are not a default solution that should be applied in all cases. The EU data exporter and US data importer before any transfer, must evaluate whether the third country respects the protections in the standard contractual clauses. Additionally, the parties must analyze whether the standard contractual clauses can be complied with or whether the transfer should be suspended.  

US companies transferring data from the EU should evaluate their transfer mechanism and consider whether the standard contractual clauses are a suitable alternative. The implications of this decision are as of yet unknown.  For now, the standard contractual clauses are an acceptable way to transfer data. Under an extreme view, this decision could mean that personal data of EU residents cannot be transferred to the US.

© 2020 Bracewell LLPNational Law Review, Volume X, Number 205


About this Author

Jeffrey B. Andrews, Bracewell Outsourcing matters Attorney, Technology Transactions lawyer,

Jeff Andrews’ broad transactional practice focuses on outsourcing, sourcing and technology transactions. He is best known for structuring and negotiating complex domestic and international information technology and business process outsourcing agreements. Jeff has assisted clients in outsourcing all major business functions and operations. He has negotiated opposite every major multinational and Indian outsourcing service provider. His clients span a wide range of industries, including energy, financial services, consumer products, retail, manufacturing, pharmaceuticals...

Lucy Tyson Privacy and technology lawyer Bracewell

Lucy Tyson’s practice focuses on advising clients in a variety of matters related to the structuring and negotiating of services agreements for business process and information technology outsourcing and managed services. Lucy works with clients to develop and implement data privacy solutions that are compliant with global regulations. She has experience working across organizations, including compliance, HR, security, IT, and legal, to ensure that data privacy solutions are tailored to the client’s needs. Lucy also has experience in advising clients with the protection, maintenance, licensing and transfer of intellectual property assets, as well as in the prosecution and management of trademark portfolios. She has worked on United States and international patent clearance, prosecution and enforcement, and counsels clients on the protection of intellectual property assets in acquisitions. She advises clients in the energy, oilfield, chemical processing, petrochemicals, gas and biotechnology industries.

During law school, Lucy held an internship with U.S. Magistrate Judge Frances Stacy of the U.S. District Court for the Southern District of Texas. Lucy was awarded a 2011-2012 Houston Intellectual Property Law Association (HIPLA) Intellectual Property Law Scholarship.