Uncertain Future for EU-US Data Transfer as ECJ Voids ‘Privacy Shield’ Agreement

by | Jul 16, 2020

The European Court of Justice has today issued a ruling that voids the existing Privacy Shield agreement for data sharing between the European Union and United States due to the fact that it does not adequately safeguard the private data of European citizens.

The ruling is certain to have an impact on almost every business, no matter the size, operating in the EU. It comes following a long and arduous legal battle that was initiated as far back as 2013 when privacy activist Max Schrems lodged a complaint with the Irish Data Protection Commission (DPC).  This complaint was in relation to disclosures about secretive US surveillance agency programmes that access user data from a roster of huge US social media and internet firms. In particular, Schrems and his data privacy lobby group noyb were critical of the manner that Facebook completed data transfers.

Schrems made allegations that, due to the Edward Snowden revelations, US legislation did not allow adequate security against surveillance by public authorities. This complaint was made primarily against Facebook. A ruling was made that the agreement between the EU and US for data sharing, then referred to as the Safe Harbour Agreement was no longer valid. As part of this businesses began to use Standard Contractual Clauses (SCCs) to continue sharing data between the two markets while a new agreement, known as Privacy Shield, was formulated.

Today’s ruling essentially means that Privacy Shield has been invalidated and there are new compliance burdens being placed on the use of SCC transfers to all countries external of the EU. Basically in order to do so companies receiving data in the external jurisdictions will be required to complete an independent review to ascertain if the destination country has sufficient legislation for the the contract clauses to be enforced.

Additionally, data protection authorities in all EU member states will be responsible for overseeing these transfers and will be expected to prevent transfer flows if they are being sent to a country where the data protection legislation has been deemed insufficient or problematic.

The ECJ released the following comment with the ruling: “Regarding the level of protection required in respect of such a transfer, the Court holds that the requirements laid down for such purposes by the GDPR (General Data Protection Regulation) concerning appropriate safeguards, enforceable rights and effective legal remedies must be interpreted as meaning that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses must be afforded a level of protection essentially equivalent to that guaranteed within the EU by the GDPR.”

It went on: “In those circumstances, the Court specifies that the assessment of that level of protection must take into consideration both the contractual clauses agreed between the data exporter established in the EU and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the data transferred, the relevant aspects of the legal system of that third country.”

The next step in the legal saga will see the case will return to the Irish Courts for a final set of rulings before the end of October 2020. The DPC in Ireland will order Privacy Shield transfers to be ended and a review of the US’ legal framework be completed, possibly in coordination with the EDPB. In the meantime it is recommended that all SCCs are reviewed by both sides in each agreement so that they are sure they will be able to stand over the agreement if required to do so as part of a legal process.
Reacting to today’s ruling Schrems said: “I am very happy about the judgment. It seems the Court has followed us in all aspects. This is a total blow to the Irish DPC and Facebook. It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a major role on the EU market.”

He went on: “The Court clarified for a second time now that there is a clash between EU privacy law and US surveillance law. As the EU will not change its fundamental rights to please the NSA, the only way to overcome this clash is for the US to introduce solid privacy rights for all people – including foreigners. Surveillance reform thereby becomes crucial for the business interests of Silicon Valley.”This judgment is not the cause of a limit to data transfers, but the consequence of US surveillance laws. You can’t blame the Court for saying the unavoidable – when shit hits the fan, you can’t blame the fan.”

Commenting on the ruling Simon McGarr, one of Europe’s top data protection experts, told Yahoo Finance news: “Everyone is focusing on Facebook as a familiar household name, but in reality, this is a massive strengthening of the EU’s regulatory power in order to enforce its human rights-based vision of data processing.”

He added: “It’s now incumbent on both the company sending the data and the company receiving the data, and EU data regulators, to do their own examination of the enforceability of those contracts under local laws of every single receiving country.”

The full consequences of today’s will be seen in the coming days and months but there is now a huge question mark over how companies can transfer data from the EU to the US without being in breach of the General Data Protection Regulation if they are using Privacy Shield or SCCs as a basis for doing so.

Associate general counsel at Facebook, Eva Nagle, released a statement confirming that tha the company is already review the impact of this ruling. She said: “Like many businesses, we are carefully considering the findings and implications of the decision of the Court of Justice in relation to the use of Privacy Shield and we look forward to regulatory guidance in this regard. We will ensure that our advertisers, customers and partners can continue to enjoy Facebook services while keeping their data safe and secure.”

In a statement released which welcomed the decision, the Data Protection Commission of Ireland said : “the Court also agreed with the DPC’s view that, whatever mechanism is used to transfer data to a third country, the protection afforded to EU citizens in respect of that data must be essentially equivalent to that which it enjoys within the EU.”


Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy