The European Court of Justice ruled today that the EU-U.S. Privacy Shield framework does not provide adequate safeguards for transfers of personal data from the European Union to the United States because of the lack of limits on access to the transferred data by intelligence officials and others.
Under the European Union’s General Data Protection Regulation (“GDPR”), data controllers and processors may only transfer personal data outside of the Union if adequate safeguards exist to protect the data in the receiving country. Previously, for data transfers to the United States, businesses could rely on participation in Privacy Shield, the European Commission’s standard contractual clauses integrated into contracts between the exporting and importing parties, or regulator-approved binding corporate rules for intracompany transfers. About 5,300 businesses participate in Privacy Shield.
Following the ECJ’s decision, data exporters who rely on Privacy Shield will need to shift to standard contractual clauses or binding corporate rules, as appropriate, for their personal data transfers from the Union to the United States.