EU-US Privacy Shield invalidated: consequences for the transfer of personal data to organizations in the US

The EU-US Privacy Shield was invalidated on 16 July 2020 by a ruling of the Court of Justice of the European Union. Organizations in the EU can therefore no longer transfer personal data to the United States on the basis of this arrangement.

What is the Privacy Shield?

Personal data may only be transferred from the EU to a third country under the GDPR if that country ensures an adequate level of protection. Since the US does not ensure an adequate level of protection, the European Commission created the Privacy Shield. If an organization in the US committed itself to this arrangement, personal data of European data subjects could be transferred to organizations in the US.

Privacy Shield invalidated

The Court of Justice stated that in the Privacy Shield, national security, public interest and compliance with US law prevail over the provisions of the GDPR and the EU Charter. In this respect, the Court also referred to the fact that US government bodies can gain access to personal data of European citizens through surveillance programs, even if this is not necessary. In addition, data subjects have no enforceable rights against US authorities and the Ombudsman does not provide sufficient guarantees.

The Court therefore ruled the Privacy Shield to be invalid. The European Commission must now come up with a new arrangement for the transfer of personal data from the EU to the US.

Model contracts

The Court also ruled that personal data may be transferred on the basis of standard provisions drawn up by the European Commission to be included in your agreement with your US trading partner. For this to be valid, however, your US business partner must be allowed under US law to comply with the provisions of the model contract. In view of the Court’s judgment on the US legal system, it is doubtful whether US companies can and may comply with the provisions of the model contracts. As a result of the Court’s judgment, the transfer on the basis of model contracts has also become uncertain.

What now?

If your organization transfers personal data on the basis of the Privacy Shield to organizations in the US, you should in any case take action by including an alternative arrangement in documentation such as processing and other agreements, privacy statements, internal privacy policies and processing registers. But even if you use standard provisions it is advisable to take one of the following actions:

• request the data subjects’ express consent to share their data with parties in the US, informing the data subjects of the risks of such a transfer; or
• find a processor based in the EU instead of the US.

If you have any questions about the consequences of this judgment for your organization or if you wish to amend your documentation, please do not hesitate to contact us.