The CJEU declares the EU-US Privacy Shield invalid: blurry future for international personal data transfers
The Court of Justice of the European Union (CJEU) has just declared the Privacy Shield Decision invalid, in its entirety.
The Court of Justice of the European Union (CJEU) has just declared the Privacy Shield Decision invalid, in its entirety.
The CJEU was seized with a request for a preliminary ruling introduced by the Irish High Court about the validity of the Commission decision 2010/87 on standard contractual clauses for the transfer of personal data to processors established in third countries (the SCC Decision). The CJEU addressed the eleven questions referred by the Irish High Court and concludes, in substance that:
- Nothing affects the validity of the SCC Decision as it "provides for effective mechanisms which, in practice, ensure that the transfer to a third country of personal data pursuant to the standard data protection clauses in the annex to that decision is suspended or prohibited where the recipient of the transfer does not comply with those clauses or is unable to comply with them." (§148);
- The Court's analysis must take into consideration the Privacy Shield Decision and examine whether the latter complies with the requirements stemming from the GDPR read in light of the Charter. On the basis of succinct arguments, the CJEU concludes that "Article 1(1) of the Privacy Shield Decision, in finding that the US ensures an adequate level of protecton for personal data transferred from the Union to organiation in the US under the EU-US Privacy Shield, disregards the requirements of Article 45(1) of the GDPR read in light of Articles 7, 8 and 47 of the Charter." According to the CJEU, as Article 1 is inseparable from Articles 2 and 6 and the annexes to the decision, its invalidity affects the validity of the decision in its entirety.
The CJEU does not see any reason to mitigate the effects of its landmark decision and considers that in any event “the annulment of an adequacy decision such as the Privacy Shield Decision is not liable to create any legal vacuum”.
Companies relying on this safeguard to secure the transfer of personal data from the EU to the US should pay great attention to this case, immediately stop relying on their Privacy Shield certification and rely on alternative safeguards provided by the GDPR.
The full decision is available at this link.