The EU-US Privacy Shield has been struck down by the Court of Justice of the European Union (CJEU).
In a landmark decision with far-reaching effects issued on July 16, 2020, the Court held the EU-US Privacy Shield framework for moving information from the EU to the US to be invalid due to insufficient data protection measures in the United States. The Court also upheld but placed limits on the use of Standard Contractual Clauses for the transfer of personal data to processors outside of the EU. The ruling in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Schrems II), is the latest development in Max Schrems’ case against Facebook.
This decision will force the US and EU back to the negotiating table and will likely also impact future data transfers between the EU and the UK or other third countries. EU Data Protection Authorities are expected to keep a close eye on companies exporting personal data outside the EU/EEA. Companies engaging in data transfers will now face a period of ongoing uncertainty and disruption around their legality. Such companies should review their own internal policies and the internal policies of third-party data processors to bring them in line with GDPR requirements.
Given these developments and the growing scale, sophistication and cost of cyber-attacks – not to mention scrutiny from consumers and watchdogs with regards to how personal data is collected – the need for expert legal support in this field is business-critical. At 360 Business Law, our global team of attorneys has deep data protection and privacy knowledge that allows us to provide detailed, expert-level advice and robust representation to clients in over 65 countries, including the US and EU/EEA member states.
Get in touch with our team to arrange a free consultation at your convenience.