Immedis Blog


EU Rules Privacy Shield Framework Invalid: What Organizations Need to Know

In July, the European Union’s Court of Justice ruled to invalidate Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield. Its decision arises from the view that the limitations on the protection of personal data resulting from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to that third country,  do not satisfy EU legal requirements.

Why does this decision matter?

It matters because the Privacy Shield framework served as the basis for data transfer between the EU and the US.  Organizations with the Privacy Shield certification were permitted to transfer personal data of EU citizens to the US. Now, companies will have to find alternatives to transfer this data.

However, data can continue to flow between the US and other countries.

The court upheld Decision 2010/87 on standard contractual clauses (SCCs). However, the ruling did refer to the fact that this validity depends on whether there are effective mechanisms in place that make it possible, in practice, to ensure compliance with the level of protection required by EU law and that transfers of personal data according to such clauses are suspended or prohibited in the event of the breach of such clauses or it being impossible to honor them. In other words, there are stipulations and requirements for SCCs.

Background to the Schrem II decision

Now known as the Schrem II decision, the case arose from the actions taken by Max Schrem, an Austrian privacy advocate against the Irish Data Protection Commissioner relating to Facebook’s data transfers to the US. Schrem previously took an action (Schrem I) against Facebook Ireland- Facebook’s European head office- back in 2015, which led to the invalidation of the Safe Harbor arrangement. Schrem’s issue is that the light of Edward Snowdon’s revelations regarding the activities of the United States intelligence services (particularly the National Security Agency), the law and practices of the US offer no real protection against surveillance by the US of the data transferred to that country.

What now?

We can expect further discussions between the EU and the US as together they lay the foundations for new protections. When the ruling was first announced, the US Secretary of Commerce Wilbur Ross said, “ We have been and will remain in close contact with the European Commission and European Data Protection Board on this matter and hope to be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies, and governments.”


For other updates, please see our blog.


Get in touch: