The Court of Justice of the European Union invalidates the Privacy Shield

In a decision that takes us back five years, the Court of Justice of the European Union (CJEU) has once again overturned the framework of international data transfers between the European Union (EU) and the United States (US).

In 2016, the European Commission issued a decision declaring transfers of personal data between the EU and the US valid, provided that the company receiving the data adhered to a control system called the “Privacy Shield”. This decision by the Commission in 2016 overcame the problem that had occurred a year earlier, when the CJEU had overturned the internal transfers scheme that had been in place until then, the so-called “Safe Harbor”, following a claim by an Austrian citizen, Maximiliam Schrems, against Facebook. The claimant had held that data transferred from Europe to the US by the social media service were not safe because the government and American intelligence agencies could access the data without respecting the fundamental rights that the EU offers its citizens, basically the right to privacy and protection of their data.

When the CJEU overturned the Safe Harbor, since there was no general framework, the only alternative to make an international transfer was to use the European Commission’s so-called “Standard Contractual Clauses”, a document that had to be signed by both parties, the exporter and the importer of the data before the transfer. This situation caused legal upheaval, and led to huge problems for companies that wanted to transfer data to the EU or which used service providers in the US. The approval of the Privacy Shield in 2016 made international transfers simple and smooth again.

The new CJEU judgment is like a remake of the situation in 2015. Schrems again filed a claim against the Irish regulator on the grounds that neither the Standard Contractual Clauses nor the Privacy Shield respected his fundamental rights when his data were transferred to the United States. Ireland again referred the matter for a preliminary ruling by the CJEU and the court has again overturned - in what is now called the Schrems 2 judgment - the transfer scheme approved by the European Commission. However, the CJEU has held that the standard contractual clauses, which had also been contested, remain valid.

The consequence of all of this is that that the vast majority of international transfers that occur every day between Europe and the US have become illegal. Consequently, the exporter and importer must adopt other safeguards immediately (for example by signing standard contractual clauses if possible, or requesting authorization from the control authority), modify their privacy policies and carry out other internal risk analyses, if they do not want to run the risk of huge fines for breaching the GDPR, which can be up to 20 million euros or 4% of annual revenues.