In a landmark judgment, the European Court of Justice (ECJ) annulled the “EU-U.S. Privacy Shield,” which was introduced in July 2016. The ECJ found that the transatlantic data transfer framework did not abide by the data security rights of EU citizens as defined under the General Data Protection Regulation (GDPR) compliance. It stated that the U.S. Surveillance Law does not have strong data privacy measures to protect its citizens’ data and instead asked them to make use of the already implemented legal mechanism, the standard contractual clauses (SCCs), for the time being.
What is EU-U.S. Privacy Shield?
With a view of creating a safe passage for personal data transfer between European and U.S. companies, the U.S. Department of Commerce and the European Commission established the EU-U.S. Privacy Shield framework. As per their website, to join the privacy shield, a U.S.-based organization is required to self-certify to the Department of Commerce on its website and publicly commit to comply with the privacy shield’s requirements. Once committed the member will then be enforceable under U.S. law.
The ECJ’s Ruling
Prior to the EU-U.S. Privacy Shield, U.S.-based companies were using SCCs to authorize the transfer of data across the continents following the ECJ’s 2015 decision to strike down Safe Harbor, another EU-U.S. data transfer mechanism. However, with the GDPR coming into effect in 2018, the data privacy and protection standards have seen a stringent upscale. According to the ECJ’s ruling, the U.S. surveillance laws did not match this standard and also “the provisions do not grant data subjects actionable rights before the courts against the US authorities,” which again is a violation of the basic rights of its citizens.
On the other hand, the ECJ, even after approving the SCC, has added a few conditions in its exercise. It said that data protection authorities (DPAs) should suspend or prohibit a transfer of personal data to a third country if they believe that country cannot comply with the standard data protection clauses and GDPR.
The U.S. Department of Commerce was rather unhappy with this decision but withheld ECJ’s ruling and is looking forward to improving the personal data privacy quotient of the Privacy Shield. What would be interesting to see in the coming days is how it impacts the existing members of the shield, of which 70% are small and medium-sized enterprises (SMEs) that might not have enough resources in the current COVID-19 situation to revert back to SCCs.