ECJ declares EU-US Data Privacy Shield invalid

Heavy impact on use of Google, Facebook, etc.

Now, companies can no longer transfer personal data to the USA on the basis of the EU-US Data Protection Shield and must switch to alternatives in order to avoid heavy fines.

EU-US Data Privacy Shield invalid

The ECJ declares the EU-US Data Privacy Shield invalid. The ECJ based its decision on the fact that not only US companies but also US secret services have unrestricted access to and use of the personal data transferred. In particular, US secret services can also "retain" personal data of EU citizens, which violates the European right to privacy.

Standard Contractual Clauses valid

In contrast, the ECJ has declared the EU Standard Contract Clauses valid. The Court found that, in principle, the EU Standard Contract Clauses contain an effective mechanism which can in practice ensure compliance with the European level of data protection. However, it must be assessed in each individual case whether the laws of the third country of destination ensure, in accordance with Union law, adequate protection of personal data transmitted on the basis of standard contractual clauses and, if necessary, whether to provide more guarantees than those provided by those clauses. The transfer of personal data to a third country based on the standard contractual clauses may be suspended or prohibited if the recipient of the transfer does not or cannot comply with these clauses.

What does this mean for companies?

For companies, the ruling can have reaching consequences. The transatlantic transfer of data will now be targeted by the supervisory authorities, with the result that companies are exposed to a considerable risk of fines.

Companies must now review their data protection contracts with regard to the legal basis of any transatlantic data transfer. To the extent that the EU-US data protection agreement is the only legal basis, companies have to switch to alternatives.

Did you find this useful?