GDPR EU-US Privacy Shield withdrawn

A ruling of the court of justice of the European Union (CJEU) has invalidated the GDPR EU-US Privacy Shield, meaning that any organisation transferring data between the EU and US can now only do so under Standard Contract Clauses. The ruling follows a complaint lodged by an Austrian privacy activist in 2014.

In a press release, the CJEU wrote:

“The Court of Justice invalidates Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield,”

The CJEU’s finding is that “the requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred to that third country”, and that mechanisms in the EU-US Privacy Shield ostensibly intended to mitigate this interference (such as an ombudsperson role to handle EU citizens’ complaints) are not up the required legal standard of ‘essential equivalence’ with EU law.

The decision does not affect ‘necessary’ data transfers, such as being able to send an email to book a hotel room, but it does affect the bulk outsourcing of data processing from the EU to the US. If you need advice on how this affects your organisation, you can get in touch and speak to one of our fully qualified GDPR advisors.