KienhuisHoving becomes Kienhuis Legal
New website live soon

EU-US Privacy Shield ruled invalid: potentially major consequences

The European Court of Justice recently ruled on the so called ‘EU-US Privacy Shield’ and ‘standard contractual clauses’. The judgment can have major consequences for companies doing business with parties in the US.

In a judgment of 16 July 2020, the European Court of Justice ruled the EU-US Privacy Shield to be invalid. This is important news for anyone doing business with a US-based party certified under the EU-US Privacy Shield. (A list of those parties can be found here.) As a consequence, they must immediately take action to prevent the associated transfers of personal data from resulting in a violation of the GDPR. The invalidation of the EU-US Privacy Shield results in the expiration of an important and very commonly used basis for allowing personal data to be shared with the US. Without such a basis, transfers of personal data to countries outside the EEA (so-called ‘third countries’) are not allowed.

The Court also ruled, among other things, on the so-called ‘standard contractual clauses’, which also provide a basis for transfers of personal data to third counties. These clauses remain valid for the time being. The Court did note that the applicability of these standard contractual clauses does not mean that the requirement of an ‘adequate level of protection’ as required by the GDPR is met. Among other things, it is also relevant what the legal system of the relevant third country says about possible access of public authorities to the personal data transferred. This means that even if standard contractual clauses apply, it is possible that personal data still may not be transferred to a third country.

Do you want to know more about the consequences of the judgment for your business? Do you need advice on transfers of personal data to the US or other third countries? Or do you have any other questions regarding the above? Please contact the professionals from our IP, IT and privacy team.

The Dutch version of this blogpost can be found here.

Share on