Skip to main content
privacy shield GDPR

Privacy shield GDPR

The Court of Justice of the European Union ruled Thursday that Privacy Shield, the EU-U.S. data protection agreement, is invalid

In order for U.S. companies to use Europeans' personal data some sort of legal justification for doing so is needed. The reason is that the U.S. lacks an EU-strength federal privacy law (or indeed any comprehensive federal privacy law at all).

The easiest way for U.S. companies to keep things legal was to sign up to the so-called Privacy Shield register—essentially, self-certifying that the company will comply with to EU rules. This register was created under a transatlantic deal of the same name, concluded between the U.S. and EU in 2016.

On Thursday, the Court of Justice of the European Union ("CJUE") found that Privacy Shield, a data protection agreement between the EU and the US, is invalid.

The CJEU news release revealed that in the court's view, "the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to that third country, which the Commission assessed in Decision 2016/1250, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary.”

Also in regards of the requirement of judicial protection, the CJUE highlighted that ”the Ombudsperson mechanism referred to in that decision does not provide data subjects with any cause of action before a body which offers guarantees substantially equivalent to those required by EU law, such as to ensure both the independence of the Ombudsperson provided for by that mechanism and the existence of rules empowering the Ombudsperson to adopt decisions that are binding on the US intelligence services..”

The ruling will have a significant implications for personal privacy policies and trans-Atlantic business. In a statement, the US Secretary of Commerce Wilbur Ross said his department is "studying the decision to fully understand its practical impacts. ... We have been and will remain in close contact with the European Commission and European Data Protection Board on this matter and hope to be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies and governments." He also added they were “deeply disappointed” with the ruling.

How this ruling will be received by the European Data Protection Board and the national EU regulators is very uncertain at this moment.

This latest ruling raises many questions, and it may take some time to fully clarify the impact of international data flows. We look forward to see the outcome of Privacy Shield invalidation.