EU-US Privacy Shield is invalid says European Court of Justice
Although Standard Contractual Clauses remain valid, the decision creates uncertainty for companies which have been relying on the Shield for their EU-US transfers. By Laura Linkomies.
The EU-US Privacy Shield was declared invalid by the Court of Justice of the European Union (CJEU) on 16 July. The court said that the agreement does not provide equivalence of protection to EU citizens due to access to personal data by the US surveillance community, and that there are faults in the US Ombudsman system. The US Department of Commerce, which administers the programme, was quick to express its disappointment, saying that the department would continue to maintain the current list, and process submissions for self-certification and re-certification.
The decision brought some relief in keeping Standard Contractual Clauses (SCC) as a valid transfer mechanism, but with extra conditions. The European Commission is working on an updated, post-GDPR version of the SCCs, but in the meantime companies will have to conduct a due diligence process to assess the level of protection of their data transfers and the tools they will utilise.