EU-US Privacy Shield declared invalid

Under the GDPR, the transfer of personal data from an EU state to a non-EU state is unlawful, with the exception of some jurisdictions that the EU consider to have equivalent privacy standards. The EU-US Privacy Shield allowed companies in the US to sign up to higher privacy standards before it was deemed lawful to allow the transfer of personal data between the EU and the US. The EU-US Privacy Shield effectively replaced the International Safe Harbor Privacy Principles, which were declared invalid by the European Court of Justice (ECJ) in October 2015.

On 16 July 2020, the ECJ invalidated the EU-US Privacy Shield as an appropriate mechanism to meet the GDPR’s cross-border personal data transfer restrictions after an Austrian citizen challenged the Privacy Shield by arguing that the privacy standards in the US did not safeguard EU citizens from US surveillance. The ECJ decided that US surveillance programmes were “not limited to what is strictly necessary” and “the requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred”.

What does the decision to invalidate the EU-US Privacy Shield mean?

This decision means that companies that had previously signed up to the EU-US Privacy Shield will now have to include Standard Contractual Clauses (SCCs) in their agreements, should they wish to transfer data between the EU and US. SCCs are non-negotiable legal clauses drawn up by Europe that focus on how personal data is managed. Data controllers that wish to use SCCs to allow them to transfer personal data to the US must first undertake an assessment of whether US law provides appropriate privacy safeguards. If they cannot prove this, then they are not permitted to use SCCs either.

Although the validity of these clauses has also been questioned, they remain valid and in use, however the ECJ has warned that the contracts would be suspended if the guarantees in them are not adhered to. In light of the global pandemic which has led to a huge increase in remote-working and the use of digital platforms to communicate, it is likely that it this area of data protection and privacy law will continue to evolve. 

CONTACT CHRIS

If you would like more information or advice relating to this article or an Employment law or Data Protection matter, please do not hesitate to contact Chris Cook on 01727 798089.

Related services you might be interested in
Read our latest views & insight about the GDPR
SA Law Red arrow neon light image
Views & Insights
Data Protection and workplace coronavirus testing

Managing the data protection challenges of workplace coronavirus testing

Read More
GDPR Numbers Image SA Law
Views & Insights
A new age: working from home and GDPR

What GDPR issues may arise from working from home and what you should do to reduce risk and stay compliant.

Read More
SA Law Red arrow neon light image
Views & Insights
Data protection and the coronavirus pandemic

Good news: The ICO provides clarity on common areas of data concerns during the unprecedented coronavirus pandemic.

Read More
SA Law Red arrow neon light image
Views & Insights
Data protection and school photographs

ICO shares guidance following two schools being reprimanded for distributing photographs of pupils without parents’ consent.

Read More
SA Law Red arrow neon light image
Views & Insights
GDPR one year on: make sure your small business is compliant

Chris Cook shares vital tips for SMEs who haven't done anything to abide by GDPR, and how they can start going about compliance.

Read More
GDPR Numbers Image SA Law
Views & Insights
GDPR one year on

Subject access requests and complaints have been commonplace since the GDPR came into effect. Find out more about the trends and traps.

Read More
SA Law Red arrow neon light image
Views & Insights
What to expect in Data Protection Law in 2019

Our Data Protection Team highlight what we can expect to see from the Data Protection Act in 2019 and the potential impact of E-Privacy Regulations.

Read More
SA Law Red arrow neon light image
Views & Insights
Google issued with £44m fine over GDPR breach

Head of Employment and Data Protection, Chris Cook, explains Google's GDPR breach that led to landmark £44 million fine.

Read More

© SA LAW 2020

Every care is taken in the preparation of our articles. However, no responsibility can be accepted to any person who acts on the basis of information contained in them alone. You are recommended to obtain specific advice in respect of individual cases.