EU-US Privacy Shield Invalidated

The European Union Court of Justice(CJEU) on July 16,  2020  invalidated the EU-US Privacy Shield in its decision in Facebook Ireland v. Schrems (Schrems II). The court came to the conclusion  that the Privacy Shield transfer mechanism does not comply with the level of protection required under EU data protection laws. The decision will impact many companies  in the EU and the US  and those companies around the globe which transfers data from EU to US. Companies that  depend  on the Privacy Shield for EU-US  data transfers must explore other data transfer options in order to avoid illegal transfers of personal data from the EU in violation of the General Data Protection Regulation (GDPR).

The EU-US Privacy Shield is a Framework for self-certification approved by the US Department of Commerce and the European Commission, in 2016  and is one of the mechanisms that was deemed adequate to enable the transfer of EU personal data to the US.

However businesses in the EU that transfer  data into the US or have data processors in the US  can still transfer data by using Standard Contractual Clauses and adequacy decisions approved by European Commision. Additionally, the GDPR (Articles 45 and 49) provides additional transfer mechanisms, including binding corporate rules, explicit consent from data subjects for each transfer, or when the transfer is necessary for the performance of a contract with the data subject.