EU-US Privacy Shield declared invalid

Fri 11th Sep 2020

Under the GDPR, the transfer of personal data from an EU state to a non-EU state is unlawful, with the exception of some jurisdictions that the EU consider to have equivalent privacy standards. The EU-US Privacy Shield allowed companies in the US to sign up to higher privacy standards before it was deemed lawful to allow the transfer of personal data between the EU and the US. The EU-US Privacy Shield effectively replaced the International Safe Harbor Privacy Principles, which were declared invalid by the European Court of Justice (ECJ) in October 2015.

On 16 July 2020, the ECJ invalidated the EU-US Privacy Shield as an appropriate mechanism to meet the GDPR’s cross-border personal data transfer restrictions after an Austrian citizen challenged the Privacy Shield by arguing that the privacy standards in the US did not safeguard EU citizens from US surveillance. The ECJ decided that US surveillance programmes were “not limited to what is strictly necessary” and “the requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred”.

What does the decision to invalidate the EU-US Privacy Shield mean?

This decision means that companies that had previously signed up to the EU-US Privacy Shield will now have to include Standard Contractual Clauses (SCCs) in their agreements, should they wish to transfer data between the EU and US. SCCs are non-negotiable legal clauses drawn up by Europe that focus on how personal data is managed. Data controllers that wish to use SCCs to allow them to transfer personal data to the US must first undertake an assessment of whether US law provides appropriate privacy safeguards. If they cannot prove this, then they are not permitted to use SCCs either.

Although the validity of these clauses has also been questioned, they remain valid and in use, however the ECJ has warned that the contracts would be suspended if the guarantees in them are not adhered to. In light of the global pandemic which has led to a huge increase in remote-working and the use of digital platforms to communicate, it is likely that it this area of data protection and privacy law will continue to evolve. 

CONTACT CHRIS

If you would like more information or advice relating to this article or an Employment law matter, please do not hesitate to contact Chris Cook on 01727 798098.

Related services you might be interested in
SA Law Red arrow neon light image

GDPR, Data & Privacy
Stained glass window

Employment
View all of SA Law's services
Read our latest views & insight about the GDPR
Read all GDPR related views & insights
GDPR Numbers Image SA Law
Views & Insights
The Future of Data Protection in the UK

'UK GDPR' - What is the Data Reform Bill?

Read More
SA Law Red arrow neon light image
Views & Insights
Data Protection and workplace coronavirus testing

Managing the data protection challenges of workplace coronavirus testing

Read More
SA Law Red arrow neon light image
Views & Insights
GDPR: two years on

Chris Cook examines a recent report from the European Commissions review of the GDPR, two years on.

Read More
GDPR Numbers Image SA Law
Views & Insights
A new age: working from home and GDPR

What GDPR issues may arise from working from home and what you should do to reduce risk and stay compliant.

Read More
SA Law Red arrow neon light image
Views & Insights
Data protection and the coronavirus pandemic

Good news: The ICO provides clarity on common areas of data concerns during the unprecedented coronavirus pandemic.

Read More
SA Law Red arrow neon light image
Views & Insights
Data protection and school photographs

ICO shares guidance following two schools being reprimanded for distributing photographs of pupils without parents’ consent.

Read More
SA Law Red arrow neon light image
Views & Insights
GDPR one year on: make sure your small business is compliant

Chris Cook shares vital tips for SMEs who haven't done anything to abide by GDPR, and how they can start going about compliance.

Read More
GDPR Numbers Image SA Law
Views & Insights
GDPR one year on

Subject access requests and complaints have been commonplace since the GDPR came into effect. Find out more about the trends and traps.

Read More
Read all GDPR related views & insights
Meet our Data & Privacy Team
Chris Cook
Personal
Chris Cook
Partner | Head of Employment & Data Protection
Simon Walsh
Personal
Simon Walsh
Partner | Commercial Litigation & Dispute Resolution Team
Christine Caffrey
Personal
Christine Caffrey
Associate | Employment Team
Personal
Sharon Mitchell
Consultant | Corporate & Commercial Team
Photo close up of football table player
Personal
Stephanie Clarke
Solicitor | Employment Team
Helen Young
Personal
Helen Young
Associate | Commercial Litigation & Dispute Resolution Team
Kiran Afsar | SA Law
Personal
Kiran Afsar
Paralegal | Corporate & Commercial Team

© SA LAW 2024

Every care is taken in the preparation of our articles. However, no responsibility can be accepted to any person who acts on the basis of information contained in them alone. You are recommended to obtain specific advice in respect of individual cases.