EU court invalidates EU/US data privacy shield in landmark ruling

New Push for ACA Innovation Waivers Aims To Rekindle States’ Interest

Organizations can no longer use the “privacy shield” to transfer personal data between the European Union (EU) and the United States (US), following a landmark ruling by the Court of Justice of the European Union (CJEU) on 16 Jul 2020. However, the CJEU’s ruling confirmed that standard contractual clauses (SCC) can be used to transfer personal data across borders, subject to recipient countries providing protection equivalent to EU law.

Background

More than 5,000 US companies have signed up for the EU/US “privacy shield,” and many EU companies have data controllers and processors who rely on it. The EU’s General Data Protection Regulation (GDPR) and its predecessor law prohibit the transfer of personal data outside of the European Economic Area (EEA), but certain mechanisms — like the “privacy shield” and SCC — allowed the lawful transfer of personal data to non-EEA recipients.

The court’s decision concerned a complaint brought by an Austrian privacy activist who claimed that personal data sent by Facebook — from the EEA to the US — was not adequately protected. An October 2015 decision by the CJEU invalidated the “safe harbor” procedure that preceded the “privacy shield,” following a complaint made by the same privacy activist.

The “privacy shield” — introduced in July 2016 following negotiations between the US Department of Commerce, the European Commission and the Swiss government — aimed to provide a mechanism to enable the lawful transfer of personal data from the EU and Switzerland to the US. Other mechanisms allow data transfers, but they are not straightforward or suitable for use in an employment context. Currently, the available mechanisms include SCCs, binding corporate rules, and derogations that allow individuals to give their explicit consent, or data transfers that are necessary to ensure the performance of a contract. 

Highlights of the ruling

  • The CJEU ruled that the broad powers of certain US public authorities to access data conflict with the more protective EU data protection law. Under US law, organizations could be required to share and allow the review of personal data for surveillance purposes.
  • Controllers and processors of personal data who rely on SCCs must conduct due diligence to ensure that countries receiving such data can provide equivalent protection given to EU data subjects under EU law. National data protection authorities can audit SCCs and have the power to stop data transfers if necessary. It is unclear from the ruling if SCCs would provide sufficient protection for the transfer of data from the EU to the US given the CJEU’s concerns about the adequacy of data protection in the US. 

The European Commission recently announced plans to update SCCs, but it is not known if the CJEU ruling will affect the review. The SCCs provide a set of model contractual terms that can be used to transfer personal data, but they have not been updated since the GDPR took effect in 2018.

Related Resources

Non-Mercer resources

Mercer Law & Policy resource

Fiona Webster
by Fiona Webster

Principal, Mercer’s Law & Policy Group

Stephanie Rosseau
by Stephanie Rosseau

Principal, Mercer’s Law & Policy Group

Speak with a Mercer Consultant
Provide your contact information to get in touch
*Required Fields