European Court of Justice invalidates EU-U.S. Privacy Shield, affirms Standard Contractual Clauses

July 17, 2020

Data Privacy & Cybersecurity Alert

Author(s): Bruce E. Copeland, Jenny L. Holmes

The European Court of Justice (ECJ), the highest court of the European Union (EU), ruled yesterday to invalidate the Privacy Shield, a commonly used legal mechanism to transfer personal data between the EU and U.S. while still complying with the EU’s General Data Protection Regulation (GDPR). This alert continues the Nixon Peabody Data Privacy and Cybersecurity Group’s coverage of U.S. and EU privacy laws and regulations.

What was the Privacy Shield?

The Privacy Shield, created in 2016, was an important mechanism for U.S. businesses — more than 5,300 US businesses currently rely on it to enable the valid transfer of EU personal data to the United States. The Privacy Shield was established after a 2015 ECJ ruling invalidated the previous mechanism, the Safe Harbor principles. That ruling, and yesterday’s decision, resulted from legal challenges against Facebook by Austrian privacy activist Maximillian Schrems.

Why did the Court rule this way?

The spirit of the Privacy Shield was to ensure that transferred data would receive equivalent protection on both sides of the Atlantic. In its opinion, the ECJ invalidated the Privacy Shield on the grounds that it did not offer EU citizens sufficient protection against U.S. government surveillance to satisfy that standard. This argument is in line with the ECJ’s arguments to substantiate the invalidation of the Safe Harbor principles.

The imbalance of protection for EU citizens’ personal data in the U.S. was precipitated by a 2017 Executive Order signed by President Donald Trump that orders executive agencies to exclude non-U.S. persons from protections under U.S. privacy laws.

The ECJ did not, however, invalidate the other primary mechanism for EU-U.S. data transfers: the Standard Contractual Clauses. While more cumbersome than the Privacy Shield, in that they have to be implemented on a case-by-case basis, the Standard Contractual Clauses currently are the only valid and practicable mechanism businesses can use, since binding corporate rules often require long approvals processes and other costly obstacles.

What are the implications of this ruling for U.S. businesses?

The ECJ judgment creates uncertainty for any business relying on the Privacy Shield. Using history as a guide, it is to be expected that a new mechanism will be created in the wake of the Privacy Shield. In the meantime, businesses should review transfers of personal data from the EU to the U.S. and make sure they are protected by the Standard Contractual Clauses, which remain valid legal mechanisms to comply with the GDPR. Valid transfers of personal data are only one step toward compliance with the GDPR, however. Full compliance with the GDPR requires a fact-intensive review of all aspects of business operations, and should be undertaken with the assistance of experienced counsel.

The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.

Back to top