On July 20, the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield arrangement (drafted in 2016 by the European Commission).
The deal had previously allowed the transfer of personal data from EU parties to US counterparts, providing a self-certification mechanism granted to US firms, stating that personal data received from EU would be protected according to EU data protection legislation (including the 2018 General Data Protection Regulation (GDPR)).
This arrangement laid its bases on standard contractual clauses (SCCs), which prevented companies from having to sign ad hoc agreements for each different flow of data exiting the EU.
Max Schrems, an Austrian privacy campaigner, challenged the order of things arguing that the US’ legal system does not offer sufficient protection for personal data, starting from the complete freedom granted to public authorities (in particular, national security and law enforcement agencies) to access and intercept communications under surveillance programmes involving non-US citizens.
The CJEU’s ruling, now abruptly stops all transfers of data relying on the Privacy Shield, and even though it doesn’t invalidate SCCs, the decision still throws shade on the propriety of intergovernmental data sharing agreements under the US Foreign Account Tax Compliance Act (FATCA) and the OECD Common Reporting Standard (CRS).
Practically speaking, EU Member States’ national data protection authorities will now have to stop transfers made under standard contractual clauses if data protection laws of the recipient’s country do not grant the same level of protection present in the EU.
Parties entering into SCCs will be required to personally assess transfers and look out for changes in the legal framework of the recipient’s country, if such laws at any point do not satisfy the standards, data already transferred must be destroyed or returned.