Articles

The CJEU declares the EU-US Privacy Shield invalid: blurry future for international personal data transfers

The CJEU declares the EU-US Privacy Shield invalid: blurry future for

The CJEU declares the EU-US Privacy Shield invalid: blurry future for international personal data transfers

16.07.2020 EU law

The Court of Justice of the European Union (CJEU) has just declared the Privacy Shield Decision invalid, in its entirety.

The Court of Justice of the European Union (CJEU) has just declared the Privacy Shield Decision invalid, in its entirety.

The CJEU was seized with a request for a preliminary ruling introduced by the Irish High Court about the validity of the Commission decision 2010/87 on standard contractual clauses for the transfer of personal data to processors established in third countries (the SCC Decision). The CJEU addressed the eleven questions referred by the Irish High Court and concludes, in substance that:

  • Nothing affects the validity of the SCC Decision as it "provides for effective mechanisms which, in practice, ensure that the transfer to a third country of personal data pursuant to the standard data protection clauses in the annex to that decision is suspended or prohibited where the recipient of the transfer does not comply with those clauses or is unable to comply with them." (§148);
  • The Court's analysis must take into consideration the Privacy Shield Decision and examine whether the latter complies with the requirements stemming from the GDPR read in light of the Charter. On the basis of succinct arguments, the CJEU concludes that "Article 1(1) of the Privacy Shield Decision, in finding that the US ensures an adequate level of protecton for personal data transferred from the Union to organiation in the US under the EU-US Privacy Shield, disregards the requirements of Article 45(1) of the GDPR read in light of Articles 7, 8 and 47 of the Charter." According to the CJEU, as Article 1 is inseparable from Articles 2 and 6 and the annexes to the decision, its invalidity affects the validity of the decision in its entirety.

The CJEU does not see any reason to mitigate the effects of its landmark decision and considers that in any event “the annulment of an adequacy decision such as the Privacy Shield Decision is not liable to create any legal vacuum”.

Companies relying on this safeguard to secure the transfer of personal data from the EU to the US should pay great attention to this case, immediately stop relying on their Privacy Shield certification and rely on alternative safeguards provided by the GDPR.

The full decision is available at this link.

Team

Related news

29.07.2020 NL law
Over temperaturen ten tijde van corona

Articles - Met haar standpunt ten aanzien van het meten van temperaturen van werknemers, geeft de Autoriteit Persoonsgegevens (AP) verduidelijking over de reikwijdte van haar toezicht. Deze nuancering houdt in dat, als er geen sprake is van verwerking van persoonsgegevens, de AVG niet geldt en de AP dus niet handhavend kan optreden.

Read more

03.07.2020 NL law
E-book NOW-2: Second Temporary Emergency Bridging Measure Work Retention

Articles - On 17 March 2020, the Dutch cabinet announced the first emergency package of support measures to alleviate the economic consequences of the corona crisis. This emergency package inter alia comprised the First Temporary Emergency Bridging Measure for the purpose of Work Retention (“NOW-1”) and the Temporary Bridging Measure for Self-Employed Persons (“Tozo-1”).

Read more

03.07.2020 NL law
E-book NOW-2: Tweede tijdelijke noodmaatregel overbrugging voor behoud van werkgelegenheid

Articles - Op 17 maart 2020 kondigde het kabinet het eerste noodpakket aan met steunmaatregelen om de economische gevolgen van de coronacrisis te dempen. Onderdeel van dit noodpakket zijn onder andere de Eerste tijdelijke noodmaatregel overbrugging voor behoud van werkgelegenheid (“NOW-1”) en de Tijdelijke overbruggingsregeling zelfstandige ondernemers (“Tozo-1”).

Read more