Under the GDPR, the transfer of personal data from an EU state to a non-EU state is unlawful, with the exception of some jurisdictions that the EU consider to have equivalent privacy standards. The EU-US Privacy Shield allowed companies in the US to sign up to higher privacy standards before it was deemed lawful to allow the transfer of personal data between the EU and the US. The EU-US Privacy Shield effectively replaced the International Safe Harbor Privacy Principles, which were declared invalid by the European Court of Justice (ECJ) in October 2015.
On 16 July 2020, the ECJ invalidated the EU-US Privacy Shield as an appropriate mechanism to meet the GDPR’s cross-border personal data transfer restrictions after an Austrian citizen challenged the Privacy Shield by arguing that the privacy standards in the US did not safeguard EU citizens from US surveillance. The ECJ decided that US surveillance programmes were “not limited to what is strictly necessary” and “the requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred”.
What does the decision to invalidate the EU-US Privacy Shield mean?
This decision means that companies that had previously signed up to the EU-US Privacy Shield will now have to include Standard Contractual Clauses (SCCs) in their agreements, should they wish to transfer data between the EU and US. SCCs are non-negotiable legal clauses drawn up by Europe that focus on how personal data is managed. Data controllers that wish to use SCCs to allow them to transfer personal data to the US must first undertake an assessment of whether US law provides appropriate privacy safeguards. If they cannot prove this, then they are not permitted to use SCCs either.
Although the validity of these clauses has also been questioned, they remain valid and in use, however the ECJ has warned that the contracts would be suspended if the guarantees in them are not adhered to. In light of the global pandemic which has led to a huge increase in remote-working and the use of digital platforms to communicate, it is likely that it this area of data protection and privacy law will continue to evolve.