EU Top Court Strikes Down Privacy Shield, CCIA Calls for Urgent Legal Certainty and Solutions

July 16, 2020

Brussels, BELGIUM — The European Court of Justice (CJEU) issued a landmark ruling today that invalidates Privacy Shield, a key legal mechanism which thousands of companies use to transfer commercial data from the EU to the United States.

The CJEU ruled that the Privacy Shield decision does not comply with EU law. Among other things, the Court held U.S. law does not provide sufficient protection of EU personal data despite the public authorities access limitations provided in the Privacy Shield decision. The Court also takes issue with the Privacy Shield mechanism for EU individuals to seek judicial protection when their data is potentially accessed by U.S. public authorities.  

Over 5,000 companies have signed up to the Privacy Shield framework. 70% of them are small and medium-sized businesses. Many U.S. subsidiaries of European companies have also joined.

The CJEU did confirm that Standard Contractual Clauses (“SCCs”), another popular mechanism, remain valid to transfer data outside Europe. However, Data Protection Authorities must suspend or prohibit data transfers under SCCs if the laws of the country of destination are such that the contractual safeguards cannot be met by either one of the parties.

The following can be attributed to Alexandre Roure, CCIA Public Policy Senior Manager:

“This decision creates legal uncertainty for the thousands of large and small companies on both sides of the Atlantic that rely on Privacy Shield for their daily commercial data transfers. We trust that EU and U.S. decision-makers will swiftly develop a sustainable solution, in line with EU law, to ensure the continuation of data flows which underpins the transatlantic economy. We hope enforcement authorities will grant Privacy Shield signatories time to migrate to alternative legal mechanisms.”

For media inquiries, please contact Communications Director Heather Greenfield [email protected]

 

Related Articles

Cybersecurity: EU Cloud Requirements Risk Excluding International Suppliers, Global Businesses Warn

Brussels, BELGIUM – A broad coalition of business associations from around the world is calling on the EU to refrain from adopting new requirements that discriminate against legitimate suppliers of cloud services, which would not only limit Europe’s cloud choice but also undermine effective cybersecurity. The 13 signatories, representing both cloud users and vendors operating…

Product Safety: Eight Associations Call On EU Legislators to Finalise New Rules

The Computer & Communications Industry Association (CCIA Europe) and seven other leading trade associations, representing technology and e-commerce companies of all different sizes, today sent a joint letter to EU co-legislators on the General Product Safety Regulation (GPSR). As the European Parliament and the Council of the EU are entering the final stages of interinstitutional…

CCIA Files Comments On FTC Proposal To Expand Jurisdiction On Privacy Rules

Washington –  The Computer & Communications Industry Association submitted comments to the Federal Trade Commission (FTC) Monday in response to the agency’s Advanced Notice of Proposed Rulemaking on whether it should consider new trade rules on the collection, use and transfer of consumer data. CCIA noted that the FTC’s rulemaking and enforcement authority is limited…