GDPR—Third country decision by the EU Court of Justice


GDPR—Third country decision by the EU Court of Justice

22 July 2020

Regulatory News Alert

Decision 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield

Context and objectives

On 16 July 2020, the Court of Justice of the European Union (CJEU) declared that the European Commission's adequacy decision regarding the European Union (EU)-United States (US) Privacy Shield is invalid. Now, companies can no longer transfer personal data to the US under the EU-US Privacy Shield and must use alternatives instead, such as EU standard contractual clauses (SCC), to avoid heavy fines. In addition, CJEU declared that EU SCC are still valid however may not be sufficient.

PDF - 144 kb

Summary of the CJEU's judgment

In its judgment, the CJEU considered several perceived shortcomings of the EU-US Privacy Shield mechanism.

The CJEU concluded that US law enforcement agencies have wide-ranging access to personal data received by US Privacy Shield-certified entities that is not subject to equivalent protections under EU law. In particular, the CJEU found that US law enforcement agencies’ access to transferred data is not subject to the principle of proportionality nor limited to what is strictly necessary. In addition, the CJEU found that data subjects have no right to an effective remedy regarding law enforcement agencies and national security.

Accordingly, the CJEU held that the European Commission’s adequacy decision was invalid.

Validity of SCC

In contrast, the CJEU declared that EU SCC are still valid under certain conditions. Namely, the CJEU found that any legal personal data transfer mechanism must not undermine the level of protection of natural persons guaranteed by the General Data Protection Regulation (GDPR) and the EU Charter on Fundamental Rights. Therefore, when using SCC, companies must verify on a case-by-case basis whether the destination country's laws comply with the GDPR, the SCC themselves, and the EU Charter on Fundamental Rights; and if they are in any doubt, provide for additional safeguards before the personal data transfer is carried out.

Impact on businesses

The CJEU's ruling means that businesses in the EEA will no longer be able to transfer personal data to a recipient in the US under the recipient's Privacy Shield certification. Therefore, current procedures and operations should be reviewed in light of this new interpretation and GDPR requirements.

Because the CJEU's ruling takes immediate effect, many businesses that relied only on the Privacy Shield as their primary justification for transferring personal data to the US will need to implement an alternative transfer mechanism (such as the EU SCC) or perhaps rely on a derogation.

In addition, businesses relying on EU SCC (or similar mechanisms like binding corporate rules) need to ascertain on a case-by-case basis if additional guarantees must be put in place, for example if the transfer is to the US or another country without an adequacy decision in place.

How can Deloitte help?

Deloitte’s data protection advisory specialists and dedicated services can help you clarify the effect of this decision, evidence gaps if any and identify potential solutions and take the necessary steps to put these solutions in place.

Deloitte’s Regulatory Watch Kaleidoscope service helps you stay ahead of the regulatory curve to better manage and plan upcoming regulations.

Deloitte can help you structure your activity to develop new products and adapt to regulatory and market demands.


Subject matter specialists

Roland Bastin
Partner –  Risk Advisory
Tel : +352 45145 2213

Jean-Pierre Maissin
Partner – Strategy, Analytics and M&A Leader
Tel : +352 45145 2834

Irina Hedea
Partner – Information & Technology Risk
Tel : +352 45145 2944

Georges Wantz
Managing Director – Technology & Enterprise
Tel : +352 45145 4363

Regulatory Watch Kaleidoscope service

Simon Ramos
Partner – IM Advisory & Consulting 
Tel : +352 45145 2702

Jean-Philippe Peters
Partner – Risk Advisory
Tel : +352 45145 2276

Benoit Sauvage
Director – Risk Advisory
Tel : +352 45145 4220

Marijana Vuksic
Manager – Risk Advisory
Tel : +352 45145 2311


Insert CSS fragment. Do not delete! This box/component contains code needed on this page. This message will not be visible when page is activated.

Did you find this useful?