Publication date: 27 August 2020
The EU-US Privacy Shield has been invalidated. This means that companies need another legal basis for the transfer of data of EU citizens to the US. It is strongly recommended to quickly implement appropriate alternative safeguard mechanisms, e.g. Standard Contractual Clauses or Binding Corporate Rules.
On 16 July 2020, the Court of Justice of the European Union invalidated the EU-US Privacy Shield in Case C-311/18 (called: ‘Schrems II’). The decision greatly impacts companies that based their data transfers between the EU and the US on the Privacy Shield. Where to go from here?
All EU member states and the three additional EEA countries (Norway, Iceland and Liechtenstein) have implemented the EU General Data Protection Regulation (‘GDPR’) in their national laws. Countries not complying with the GDPR are referred to as third countries. Following from the GDPR, personal data can only be transferred to a third country if that country offers an adequate level of data protection. The GDPR offers a wide range of safeguard mechanisms based on which data can be transferred to third countries, amongst others:
The US is a third country and does not offer an adequate level of data protection. In order to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements following from the GDPR relatively easily, the EU-US Privacy Shield was created. US companies were given the opportunity to voluntarily comply with this framework through certification, which companies were recorded by the US Department of Commerce. If a US company was not certified under this framework, contractual arrangements complying with the GDPR had to be made. The framework allowed free transfer of data from the EU to US companies that were certified under the Privacy Shield. The European Commission recognized the US, limited to the Privacy Shield framework, as providing adequate protection as required by the GDPR in an adequacy decision.
In Schrems II the Court of Justice of the European Union ruled that:
Please note: according to the European Data Protection Board (‘EDPB’) these additional protections also need to be taken into account when BCRs are used as a legal basis.
As a result of the immediate effect of the decision, data transfers on the basis of the Privacy Shield are illegal as from 16 July 2020.
Therefore, we would like to provide you with some points of attention:
Please note: the US Department of Commerce has stated to continue to administer the Privacy Shield programme. The decision of the Court of Justice of the European Union does not relieve participating (certified) US companies of their Privacy Shield obligations. It is, however, possible to withdraw from the Privacy Shield. In that case the company must continue to apply the Privacy Shield principles to the data it received while participating in the Privacy Shield.
You can contact Russell Advocaten with all your GDPR-related matters. We will gladly help you assess how to comply with all requirements in order to be able to transfer data within and outside the EU. Please contact us:
In this newsletter Russell Advocaten will inform you, in short, about the most important changes to be expected in the European data protection regulations. More detailed information on this topic can be found in our previous newsletters.read on
According to the Amsterdam District Court, Uber drivers are employees. Therefore, they are covered by the collective agreement of the taxi industry with all associated rights and obligations. How did the District Court reach this judgement? And what does it mean for other forms of platform work?read on
If your employee reports sick, this may raise many difficult questions. What are your reintegration obligations during the sick leave period? What are you allowed to record about your sick employee with regard to the privacy legislation? We answered these and other questions during a webinar. Watch the video!read on