EU-US Privacy Shield

July 16, 2020: The Court of Justice of the European Union declared the EU-U.S. Privacy Shield arrangement is invalid. However, it did uphold the validity of standard contractual clauses, with a caveat: the third country to which EU data is transferred must have protections in place, particularly around access by public authorities and the ability for EU citizens to have legal redress.

The EU-U.S. Privacy Shield, on July 12, 2016, was officially adopted by the European Commission, establishing a data transfer mechanism between the two regions that replaced the previous Safe Harbor framework.

In October of 2015, the European Court of Justice deemed Safe Harbor inadequate in the protection of EU citizen data, particularly in light of the access that the U.S. government had/has to data held on servers in the U.S. The Safe Harbor challenge began in 2012, with then-law student Max Schrems taking issue with Facebook’s data handling practices, claiming they violated EU law. Schrems ended up taking his complaints all the way to CJEU and they agreed.

Want to know what the Privacy Shield means for your organization? Read on.

Log in now to access this IAPP member-only content.
Not a member? Join now.