Privacy Shield decision of the ECJ – what companies need to know now
Posted: Thu Jan 30, 2025 8:48 am
On July 16, 2020, the European Court of Justice (ECJ) declared the most important data protection agreement, the Privacy Shield, between the EU and the USA invalid. This means that a large proportion of data transfers to the USA are now inadmissible. The ruling has far-reaching consequences for all EU companies that use cloud services from US providers or generally transfer personal data to the USA.
The ECJ ruling only plays a role for you if your company processes personal data outside the EU in a so-called “third country”.
Your company is therefore affected by the ruling if you use software services (including the website) that are operated on US servers or by US providers or if your company is part of an international group and personal data is shared with group companies in the USA.
Sebastian Herting
About the guest author
Sebastian Herting is a lawyer and partner at the data protection cambodia number dataset law firm Herting Oberbeck Rechtsanwälte and focuses on data protection law, online law and IT law. As a TÜV-certified data protection officer, he supports organizations in the practical implementation of the GDPR.
Basics of data transfer to the USA
The GDPR stipulates that personal data may only be processed outside the EU if the third country provides an adequate level of data protection (see Art. 44 GDPR). The law offers various options for ensuring this adequate level of data protection:
The EU Commission can examine and officially determine the adequate level of data protection in a third country or a sector within a third country (Article 45 GDPR). Such adequacy decisions exist for Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay.
An adequate level of data protection has not been established for the USA, but US companies have previously been able to obtain certification under the EU-US Privacy Shield in order to achieve an adequate level of data protection. This instrument has now been declared invalid by the ECJ.
If there is no adequacy decision, companies can conclude standard data protection clauses (Standard Contractual Clauses (SCC), Art. 46 Para. 2 Letter c GDPR). These are standard contractual clauses that are specified by the EU Commission and contractually oblige the contractual partner in the third country to ensure data protection at EU level. It is important that the contractual partner can actually comply with these obligations.
Corporations have the option of adopting binding internal data protection rules ( Binding Corporate Rules (BCR), Art. 47 GDPR). This is a complex process that also has to be approved by the supervisory authorities. These rules must also actually be complied with.
Data transfers that are necessary for the performance of a contract between the data subject and the controller or for the implementation of pre-contractual measures at the request of the data subject are permitted without further requirements (Article 49 GDPR). This exception applies, for example, to travel bookings in the USA.
The data transfer is permitted with the consent of the data subject (Article 49 GDPR). However, the requirements for effective consent are high and, among other things, information must be provided about the possible risks of data transfers to third countries without an adequacy decision and without suitable guarantees.
There are further exceptions in Articles 46 and 49 of the GDPR, but these have little practical relevance.
The ECJ ruling only plays a role for you if your company processes personal data outside the EU in a so-called “third country”.
Your company is therefore affected by the ruling if you use software services (including the website) that are operated on US servers or by US providers or if your company is part of an international group and personal data is shared with group companies in the USA.
Sebastian Herting
About the guest author
Sebastian Herting is a lawyer and partner at the data protection cambodia number dataset law firm Herting Oberbeck Rechtsanwälte and focuses on data protection law, online law and IT law. As a TÜV-certified data protection officer, he supports organizations in the practical implementation of the GDPR.
Basics of data transfer to the USA
The GDPR stipulates that personal data may only be processed outside the EU if the third country provides an adequate level of data protection (see Art. 44 GDPR). The law offers various options for ensuring this adequate level of data protection:
The EU Commission can examine and officially determine the adequate level of data protection in a third country or a sector within a third country (Article 45 GDPR). Such adequacy decisions exist for Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay.
An adequate level of data protection has not been established for the USA, but US companies have previously been able to obtain certification under the EU-US Privacy Shield in order to achieve an adequate level of data protection. This instrument has now been declared invalid by the ECJ.
If there is no adequacy decision, companies can conclude standard data protection clauses (Standard Contractual Clauses (SCC), Art. 46 Para. 2 Letter c GDPR). These are standard contractual clauses that are specified by the EU Commission and contractually oblige the contractual partner in the third country to ensure data protection at EU level. It is important that the contractual partner can actually comply with these obligations.
Corporations have the option of adopting binding internal data protection rules ( Binding Corporate Rules (BCR), Art. 47 GDPR). This is a complex process that also has to be approved by the supervisory authorities. These rules must also actually be complied with.
Data transfers that are necessary for the performance of a contract between the data subject and the controller or for the implementation of pre-contractual measures at the request of the data subject are permitted without further requirements (Article 49 GDPR). This exception applies, for example, to travel bookings in the USA.
The data transfer is permitted with the consent of the data subject (Article 49 GDPR). However, the requirements for effective consent are high and, among other things, information must be provided about the possible risks of data transfers to third countries without an adequacy decision and without suitable guarantees.
There are further exceptions in Articles 46 and 49 of the GDPR, but these have little practical relevance.