The European Court of Justice (ECJ) today invalidated the EU-US privacy agreement "EU-US Privacy Shield". The background to the decision is a complaint by Austrian lawyer and data protection activist Max Schrems. He had complained to the Irish data protection authority that Facebook Ireland had forwarded its data to its parent company in the United States. The complaint was based on the fact that Facebook is obliged in the United States to make the data available to US authorities such as the NSA and the FBI without the data subjects being able to object.
The ruling is likely to have a drastic impact on many companies within the EEA and in Switzerland that have placed their trust in the EU-US Privacy Shield, as the transfer of personal data to the United States is now lacking a legal basis in many cases. It remains to be seen whether this decision will also have an impact on the "Swiss-U.S. Privacy Shield", for which companies from the United States were able to obtain certification since April 12, 2017.
According to Regulation (EU) 2018/1725, an international transfer of personal data may only take place if there is adequate protection of the fundamental rights of the data subjects with regard to data protection in the recipient country. Until 20 July 2000, transfers to US institutions that have joined the Safe Harbor regime were considered adequate under European Commission Decision 2000/520/EC. However, this adequacy decision was declared invalid by the European Court of Justice on October 6, 2015, so that no further transfers to the United States can be made on this basis. In February 2016, the European Commission and the United States agreed on a new framework for transatlantic data transfers. The so-called "EU-US Privacy Shield" replaced the safe harbor regime, which led to the formal adoption on July 12, 2016 of a new European Commission adequacy decision for transfers to U.S. entities that have joined the EU-US Privacy Shield.
In today’s decision, the EU-US Privacy Shield was also struck down. In the opinion of the ECJ, the United States surveillance laws are too far-reaching for the EU-US Privacy Shield to adequately protect the data subjects. However, the ECJ has also clarified that personal data of data subjects may continue to be transferred to the United States and other states on the basis of so-called standard contractual clauses.
Even though this decision is likely to have an impact on the legal situation in the USA in the longer term, the primary responsibility for the protection of personal data remains with the companies that transfer personal data to the United States.