EU-USA data transfer - CJEU judgment

Krzysztof Grabowski, Data Protection Officer
The Court of Justice of the European Union annulled the Privacy Shield Agreement, which was the legal basis for the transfer of the data from the EU to the US. What are the consequences of this judgment for business?

The CJEU has ruled that the legal solutions of Privacy Shield did not provide effective protection of the privacy of the transferred data, in particular because the US intelligence services could secretly access the data. This is another decision of the European Court of Justice which proves the importance of adequate privacy safeguards and which shows that the national authorities should not ignore natural persons' complaints, but take firm actions to protect their rights.

The CJEU addressed the issue of Privacy Shield following a complaint lodged by an Austrian citizen who argued that US law did not provide adequate protection for the data transferred from Europe, which may have resulted in unauthorised access. 5 years ago, the same person, after a case brought against Facebook, contributed to the annulment of the transfer of the data from the EU to the US under the Safe Harbour mechanism.

So, what`s with the data transfer to the US?

The CJEU judgment does not prohibit the data transfer from the European Union to the US. This is still possible, and it is governed by Articles 44-49 of the GDPR. At present, all EU companies which plan to transfer data to third countries (outside the EEA) must check the legal grounds for doing so.

Upon termination of Privacy Shield, the legal grounds for data transfer to third countries are as follows:

  • standard contractual clauses, i.e. the agreement on data transfer protection between the transferor and the transferee
  • explicit consent of the person to which the data relates, preceded by information on the possible risks arising from a lack of adequate safeguards

Data administrators who wish to know whether a CJEU judgment relates to their activities should consult the register of data processing activities for the transfers to the US. If such a transfer exists and the legal ground for processing the data is Privacy Shield, it should be changed to a lawful one.

Contact our expert

Personal data protection