ECJ Overturns Data Transfer Agreement Privacy Shield with United States.

 Data Protection Agreement on the Transfer of Personal Data "Privacy Shield" Between the EU and the United States Fails to Meet the Requirements of the GDPR.

Tobias Vößing

ECJ Overturns Data Transfer Agreement Privacy Shield with United States

In its ruling of July 16, the ECJ declared the data protection agreement Privacy Shield between the United States and the EU to be invalid (Ref C-311/18).

The privacy protection agreement Privacy Shield was intended to ensure that personal data of EU citizens are properly protected when transferred to the US. For a long time the agreement was controversial and was criticized by data protectionists. Reason for the criticism: The secret services in the United States have almost unlimited access to these data. 

The European Court of Justice (ECJ) has now ruled that the agreement is invalid. But this does not mean the end of the transmission of user data to the United States and other states. This is still possible based on the so-called standard data protection clauses of the EU Commission.

US Authorities Have Access to Data

The reason for the ECJ decision is a dispute between the Austrian lawyer Max Schrems and Facebook Ireland. Schrems defended himself against the fact that his user data was forwarded by Facebook Ireland to the parent company in the United States. He reasoned that this was due to the lack of data protection in the United States. Facebook is obliged to make the data available to authorities such as the CIA or FBI. Data subjects can hardly defend themselves against this. 

GDPR Requirements Not Met

But this does not comply with European data protection requirements. The ECJ has now found that even Privacy Shield cannot ensure sufficient data protection. According to the General Data Protection Regulation (GDPR), personal data may in principle only be transferred to a third country if an adequate level of data protection is guaranteed in the relevant country. With regards to the extensive possibilities for the US authorities to access the data, Privacy Shield does not guarantee sufficient protection of the user data of EU citizens, according to the ECJ. In addition, the legal protection for data subjects is also unsatisfactory.

Standard Contractual Clauses Remain in Force

But the verdict does not mean the end of all data transfers to the United States. On the basis of so-called standard contractual clauses, user data of EU citizens can be transmitted further to the United States and other countries. These generally contained sufficient mechanisms to guarantee data protection, the ECJ formulated. If, however, data protection authorities believe that the standard contractual clauses are not being observed in the recipient country, they can suspend or prohibit the data transfer.

In practice, the ECJ decision has far-reaching consequences for many companies. They will have to ensure that adequate data protection is provided for every data transfer from or to the United States. They can no longer rely on the Privacy Shield.

Now, companies need to take measures to harmonize their international data transfer with the regulations of the GDPR. Otherwise, there is a risk of a violation of the GDPR, which can be heavily sanctioned.

ECJ overturns Privacy Shield. However, standard data protection clauses of the EU Commission remain in force as current data protection solution.