The CJEU has ruled that the legal solutions of Privacy Shield did not provide effective protection of the privacy of the transferred data, in particular because the US intelligence services could secretly access the data. This is another decision of the European Court of Justice which proves the importance of adequate privacy safeguards and which shows that the national authorities should not ignore natural persons' complaints, but take firm actions to protect their rights.
The CJEU addressed the issue of Privacy Shield following a complaint lodged by an Austrian citizen who argued that US law did not provide adequate protection for the data transferred from Europe, which may have resulted in unauthorised access. 5 years ago, the same person, after a case brought against Facebook, contributed to the annulment of the transfer of the data from the EU to the US under the Safe Harbour mechanism.
The CJEU judgment does not prohibit the data transfer from the European Union to the US. This is still possible, and it is governed by Articles 44-49 of the GDPR. At present, all EU companies which plan to transfer data to third countries (outside the EEA) must check the legal grounds for doing so.
Upon termination of Privacy Shield, the legal grounds for data transfer to third countries are as follows:
Data administrators who wish to know whether a CJEU judgment relates to their activities should consult the register of data processing activities for the transfers to the US. If such a transfer exists and the legal ground for processing the data is Privacy Shield, it should be changed to a lawful one.
Contact our expert
Personal data protection