The EU-US Privacy Shield declared invalid – what happens now with the personal data transfers to the USA?


The European Union Court of Justice has recently rendered a new decision whereby for a second time in the past few years the personal data oversea transfers are now at stake.

Following the Safe Harbor invalidation in 2015, the European Union and the United States have created a new legal mechanism for the transfer of EU citizens’ personal data to the US. The adopted Privacy Shield has since then served as the legal basis for business transfers oversea.

However, a recent decision of the EU Court of Justice has declared the Privacy Shield invalid as well.

The Court exhaustively motivates its decision by pointing out that the Privacy Shield does not adequately protect the personal data of EU citizens once their data is transferred to the US. Following the transfer, the data are accessible for the US public authorities via different surveillance programs. It therefore appears that once in the US, the personal data are extended a lower level of protection than the one secured by the European Union law.

Since it was declared invalid, the Privacy Shield may no longer be used by European companies that transfer personal data to the US. Hence, all such companies that have so far used the Privacy Shield for their transfer, will now have to make an internal review of their procedures.

Going forward, the business will have to rely on the standard clauses for its data transfers. This will be a workable solution until the EU and the US manage to find a new legal mechanism, if any.

However, the Court pops some new questions here as well – are the contractual clauses incorporated in the main contracts always and without any limitations an appropriate solution for the data transfers to third countries?

Until recently, the answer was positive. However, this seems not to be the case any longer as the Court now rules that a case-by-case evaluation has to be made when personal data are transferred to third countries. The data exporter must evaluate whether the country of the data importer secures an adequate level of personal data protection. The criterion for this adequacy will be whether the host country has at least the same personal data protection guarantees as the European Union law (including the General Data Protection Regulation).

Therefore, each company to transfer personal data outside of the EU will bear the obligation to suspend any transfers to third countries which do not offer an adequate level of personal data protection. This obligation will additionally enhance the companies’ burden to fully get to know their business partners, including on matters such as where do those partners store the personal data provided to them, how are those personal data stored and are they disclosed to any third parties, including any public authorities.

For further information contact:

Ilya Komarevski, partner

Mileslava Bogdanova-Misheva, senior associate