EU-US Privacy Shield Ruled Invalid by the Court of Justice of the European Union

Most organisations rely on data transfer agreements known as Standard Contractual Clauses (SCC) to transfer personal data to countries outside of the EEA (European Economic Area).

European data protection law says data can only be transferred out of the EU, to the United States or elsewhere, if appropriate safeguards are in place. One such safeguard was the Safe Harbour agreement which existed for several years.

The Safe Harbour agreement was relied upon by many organisations, including many email marketing suppliers in the US, as adhering to higher privacy standards before transferring data to the US.

In 2013, Mr Max Schrems an Austrian privacy advocate, lodged a complaint against Facebook transferring data to the US, after leaks by ex-CIA contractor Edward Snowden revealed the extent of US surveillance.

His first case ended in 2015, with the Court of Justice of the European Union (CJEU) overturning the long-standing Safe Harbour agreement and I wrote this blog on the subject –  [https://blog.campaignmaster.co.uk/2015/10/14/safe-harbour-agreement-ruled-invalid/].

The EU-US Privacy Shield was the successor to this agreement which governed the transfer of EU citizens’ data to the United States.

On 16^th July 2020 the Privacy Shield was struck down and confirmed invalid by the CJEU, in a case now commonly being referred to as “Schrems 2”.  In short, Mr Schrems argued that US national security laws did not protect EU citizens from the activities of the US intelligence service. This landmark ruling will have substantial implications for thousands of companies currently sharing data with the US.

So, what does this mean for European businesses?

Many businesses relied on the Privacy Shield so now it has been ruled invalid, these firms will be forced to review and sign standard contractual clauses drawn up by Europe that include all the relevant EU approved clauses that allow for the international transfer of data.

The CJEU’s finding is that “the requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred to that third country”, and that mechanisms in the EU-US Privacy Shield apparently intended to lessen this interference and was therefore not up to the required legal standard of ‘essential equivalence’ with EU law.

US Secretary of Commerce Wilbur Ross said his department was “deeply disappointed” by the decision and said he hoped to “limit the negative consequences” to transatlantic trade worth $7.1 trillion (£5.6tn).

If you are concerned about personal data being transferred to the US, through your email service provider, know that Campaignmaster never transfers data overseas. Our servers are based in the UK.  Get in touch at info@campaignmaster.co.uk for further details and a free demo if you are now seeking to work with an alternative email marketing supplier following this landmark ruling.