Organizations can no longer use the “privacy shield” to transfer personal data between the European Union (EU) and the United States (US), following a landmark ruling by the Court of Justice of the European Union (CJEU) on 16 Jul 2020. However, the CJEU’s ruling confirmed that standard contractual clauses (SCC) can be used to transfer personal data across borders, subject to recipient countries providing protection equivalent to EU law.
More than 5,000 US companies have signed up for the EU/US “privacy shield,” and many EU companies have data controllers and processors who rely on it. The EU’s General Data Protection Regulation (GDPR) and its predecessor law prohibit the transfer of personal data outside of the European Economic Area (EEA), but certain mechanisms — like the “privacy shield” and SCC — allowed the lawful transfer of personal data to non-EEA recipients.
The court’s decision concerned a complaint brought by an Austrian privacy activist who claimed that personal data sent by Facebook — from the EEA to the US — was not adequately protected. An October 2015 decision by the CJEU invalidated the “safe harbor” procedure that preceded the “privacy shield,” following a complaint made by the same privacy activist.
The “privacy shield” — introduced in July 2016 following negotiations between the US Department of Commerce, the European Commission and the Swiss government — aimed to provide a mechanism to enable the lawful transfer of personal data from the EU and Switzerland to the US. Other mechanisms allow data transfers, but they are not straightforward or suitable for use in an employment context. Currently, the available mechanisms include SCCs, binding corporate rules, and derogations that allow individuals to give their explicit consent, or data transfers that are necessary to ensure the performance of a contract.
The European Commission recently announced plans to update SCCs, but it is not known if the CJEU ruling will affect the review. The SCCs provide a set of model contractual terms that can be used to transfer personal data, but they have not been updated since the GDPR took effect in 2018.