Ruling against EU-US Privacy Shield

Ruling against EU-US Privacy Shield

On July 16, 2020, the Court of Justice of the European Union (CJEU) issued a ruling invalidating the EU-US Privacy Shield with respect to data transfers.

The CJEU’s reasons for annulling the privacy shield are based mainly on the following mainly on the lack of guarantees on the part of the U.S., since the guarantees are not regulated in accordance with requirements that are substantially equivalent to those required by EU law, and the principle of proportionality is not respected, as well as the rights that the interested parties can demand from the U.S. authorities before the courts are not contemplated, since the mechanism of the Ombudsman that was established does not offer the necessary guarantees to the interested parties.

Invalidated Shield

Thus, the possible access and use by U.S. authorities of personal data transferred from the European Union prevents the United States from being considered as a jurisdiction with a level of protection equivalent to that of the European Union. Consequently, the CJEU concludes, the Privacy Shield should be declared invalid.

What do we do now?

The consequences are quite significant, as data transfers with and between European and U.S. entities are affected and business relations between European and U.S. entities are in turmoil.

Some reaction is expected from the AEPD to shed some light on the matter, but in the meantime it seems that the most sensible thing to do is to ask the American entities for other requirements to ensure that the transfer is safe for data processing (art. 46 RGPD):

(a) A legally binding and enforceable instrument between public authorities or agencies

b) Binding corporate rules

c) Standard data protection clauses adopted by the Commission that remain valid

  • Decision 2001/497/EC of 15 June 2001 on standard contractual clauses for the transfer of personal data between controllers to a third country
  • Decision 2004/915/EC of 27 December 2004 amending Decision 2001/497/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries
  • Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries, pursuant to Directive 95/46/EC d

(e) codes of conduct, together with binding and enforceable commitments of the controller or processor in the third country to implement appropriate safeguards, including those relating to the rights of data subjects

f) Standard data protection clauses adopted by a supervisory authority and approved by the Commission.

(f) Certification mechanisms, together with binding and enforceable commitments by the controller or processor in the third country to implement appropriate safeguards, including those relating to the rights of data subjects.

How the shield used to work

When the Privacy Shield was active, in order to transfer personal data from the EU, entities were required to self-certify their adherence to the principles to the Department of Commerce (or its delegate) (“the Department”).

Although entities’ decisions to join the Privacy Shield were voluntary, actual compliance was mandatory.

To join the Privacy Shield, entities had to:

a) be subject to the investigative and enforcement powers of the Federal Trade Commission (“the FTC”), the Department of Transportation or other official body that effectively ensures compliance with the principles (other official U.S. bodies recognized by the EU may be annexed in the future);

b) publicly declare its commitment to comply with the principles;

c) make public its privacy policies in accordance with these principles;

d) to apply them in their entirety.

Noncompliance by an entity may be subject to enforcement action under Section 5 of the Federal Trade Commission Act Prohibiting Unfair or Fraudulent Acts in or affecting commerce [USC, Title 15, Section 45(a)] or under other laws or regulations prohibiting such acts.

The list of certified entities could be consulted here: https://www.privacyshield.gov/list

Does this affect any company?

Analyze the list of your suppliers / collaborators and identify those residing in the United States of America. If you transfer data to other entities in that country, you are also affected.

More advice on BUSINESS ADAPTER data protection Valencia. Contact

Contact us, we will be pleased to help you.
error: Content is protected !!