EU-US Privacy Shield Invalidated by the Court of Justice of the European Union

By Javier Fernandez-Samaniego*
The Court of Justice of the European Union has invalidated Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield in its July 16, 2020 judgment (Case C-311/18, Data Prot. Comm’r v. Facebook Ir. Ltd.)(“Schrems II”). The Court, however, upheld the validity of the SCC (Standard Contractual Clauses) mechanism to transfer data to the United States from the EU.
U.S. Secretary of Commerce Wilbur Ross issued the following statement on the July 16 ruling by the Court of Justice of the European Union in the Schrems II case:
“While the Department of Commerce is deeply disappointed that the Court appears to have invalidated the European Commission’s adequacy decision underlying the EU-U.S. Privacy Shield, we are still studying the decision to fully understand its practical impacts. We have been and will remain in close contact with the European Commissioner and European Data Protection Board on this matter and hope to be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies, and governments. Data flows are essential not just to tech companies – but to businesses of all sized in every sector. As our economies continue their post-COVID-19 recovery, it is critical that companies – including the 5,300+ current Privacy Shield participants – be able to transfer data without interruption, consistent with the strong protections offered by Privacy Shield.” For more information on Wilbur Ross’ statement, click here.
Immediate Consequences
Companies that were relying on the EU-U.S. Privacy Shield for data transfers to the United States should substitute this safeguard for alternative safeguard mechanisms, namely the so-called “SCC” Standard Contractual Clauses, unless a quick agreement on a new scheme compliant with the EU legislation is reached between the European Union and the United States.
Judgment
Please follow this links (linklink) for the background case and the judgment issued by the European Court of Justice.
Privacy Shield
The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce. For additional information, please follow this link.
Javier Fernandez-Samaniego is the Managing Director of Samaniego Law, an alternative iberoamerican law firm specializing in dispute resolution and technology law, and Foreign Legal Consultant of The Florida Bar. For additional information, please follow this link.