European Court of Justice invalidates the US Privacy Shield’s adequation towards GDPR

Homepage | News

GDPR is applicable to situations in which personal data collected directly on the EU territory or to services directed towards EU. Moreover, a transfer of personal data is allowed only if the entity can guaranty an equivalent level of protection of data subjects’ rights and freedoms. Recital 14[1] of the implementation decision recalls the EU-US Privacy Shield mechanism.

Despite this implementation decision from the European Commission, the US Privacy Shield is not considered as offering a substantially equivalent protection to data subjects. The fact that the public authorities can have access to personal data is contrary to the rights and freedoms of individuals as established in the EU Charter of Fundamental rights.

This decision implies that in situations where any personal data is transferred to the US:

  • Transfers based on Privacy Shield are violating GDPR, thus shall be suspended.
  • Transfers based on any other appropriate safeguards (standard data protection clauses, binding corporate rules, approved code of conduct, adequacy decision etc.) applies only if effective measures to ensure the protection of data subjects’ rights and freedoms are established.

Therefore, concerned organizations (ex. SME, local entities or groups), in order to fulfill their accountability obligations (art. 24), shall verify that any personal data transfer towards the US ensures a sufficient protection, if not, said transfer shall be suspended for the duration of the implementation of appropriate safeguards.

[1] The EU-U.S. Privacy Shield is based on a system of self-certification by which U.S. organisations commit to a set of privacy principles — the EU-U.S. Privacy Shield Framework Principles, including the Supplemental Principles (hereinafter together: ‘the Principles’) — issued by the U.S. Department of Commerce and contained in Annex II to this decision. It applies to both controllers and processors (agents), with the specificity that processors must be contractually bound to act only on instructions from the EU controller and assist the latter in responding to individuals exercising their rights under the Principles