What is Privacy Shield? 

Privacy Shield effectively replaced the ‘Safe Harbour’ regime as a US compliance mechanism for personal data transfers from the EU to the US, and effectively offered greater protections to EU citizens requiring the US authorities to take account of EU privacy concerns. If an EU resident’s personal data ends up in the US for either controlling or processing, it’s very likely it has been transferred under the Privacy Shield regime. 

The Court of Justice of the European Union (the “CJEU”) decision 

The CJEU finally delivered its highly anticipated judgement on 16 July 2020 in Data Protection Commissioner v Schrems [1]This decision held that the EU-US Privacy Shield was inadequate for the lawful transmission of data of EU residents to the US for commercial purposes.  

The decision is effective immediately. This means that any company that had relied on the Privacy Shield as a mechanism for cross-border data transfers must now adopt another lawful transfer mechanism. 

How can businesses transfer personal data to the US now? 

Standard Contractual Clauses (“SCCs” - model data protection clauses that have been approved by the European Commission and enable the free flow of personal data when embedded in a contract) are now the preferred transfer mechanism for companies that had relied on the Privacy Shield. The CJEU has validated the use of SCCs to export personal data from the EU but subject to strict compliance with requirements under the GDPR. 

Next Steps for your Organisation 

Organisations will need to review the mechanisms they rely on to transfer data to third countries.

As the Privacy Shield has been deemed invalid, all data transfers from the EU to the US, which were previously based on the Privacy Shield exclusively, are now to be considered illegal.

If seeking to rely on SCCs instead, prior to any transfer, organisations will need to carefully consider whether they have complied with the obligation to verify the level of protection in the third country concerned. Where this is not the case, the transfer may be suspended or terminated.

Please see the article attached for our full summary on the judgement.

Leman Solicitors regularly advises organisations on drafting and updating data protection policies and has extensive experience advising on a range of data protection related issues/disputes arising in the above context. For further information, please contact Sheila Spokes at spokes@leman.ie, James Shannon at jshannon@leman.ie or Morgan Crowe at mcrowe@leman.ie. 

[1] CJEU C-311/18, 16 July 2020