EU-US Privacy Shield Ruled Invalid


The Court of Justice of European Union has invalidated the EU-US Privacy Shield but upheld the validity of Standard Contract Clauses (“SCC”).  The Privacy Shield was an important data protection framework because the GDPR does not permit the transfer of data out of the EU unless it is being transmitted to a country deemed as having adequate data protection laws.  The EU does not list the US as one those countries.

However, the EU-US Privacy Shield created a program whereby participating companies were deemed to have adequate data protection in order to meet the requirements of the GDPR.  This then permitted the transfer of data from the EU to the US.

The other way to transfer data was to use a set of Standard Contractual Clauses issued by the EU that provided sufficient safeguards on data protection in order to be transmitted internationally.

With the Privacy Shield invalidated, EU data can’t be transferred to the US without the risk of violating the GDPR.   These companies now need to quickly establish the SCC between them.  Of course, these US companies will need to ensure that they can meet the requirements s of the SCC.

Additional information can be found in the Court of Justice of the European Union Press Release.