Privacy Shield and the GDPR: Inadequate Protection for Cross-border Data Transfers

On July 16, 2020, the Court of Justice of the European Union (CJEU) issued a landmark judgement that Privacy Shield is “invalid” because it does not provide “adequate protection” under Article 45 of the General Data Protection Regulation (GDPR) for transfers of personal data of individuals located in the European Union to the United States. This ruling has cast a shadow of uncertainty over the future of cross-border data transfer mechanisms; however, according to Privacy Shield, “this decision does not relieve participants in the EU-U.S. Privacy Shield of their obligations under the EU-U.S. Privacy Shield Framework.” One potential option for companies going forward may be to look at standard contractual clauses (SCC), which the CJEU did not specifically invalidate.

A Brief Overview of Privacy Shield

The EU-U.S. Privacy Shield Framework was designed by the U.S. Department of Commerce and the European Commission with the intent to provide a data transfer mechanism for personal data transferring from the European Union to comply with applicable data protection requirements. Privacy Shield was created in 2016, after a 2015 European Court of Justice (ECJ) decision ruled the previous cross-border data transfer mechanism, Safe Harbor, was invalid. In 2015, when the ECJ ruled that Safe Harbor was invalid, the EU respected a grace period for organizations to react to the judgement – but as of yet, this same moratorium has not been applied to the Privacy Shield ruling.

According to U.S. Department of Commerce Secretary Wilbur Ross, “While the Department of Commerce is deeply disappointed that the court appears to have invalidated the European Commission’s adequacy decision underlying the EU-U.S. Privacy Shield, we are still studying the decision to fully understand its practical impacts.”

The Department of Commerce will continue to administer the Privacy Shield program to its more than 5,000 members, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List.

The Importance of GDPR Article 45: “Transfers on the basis of an adequacy decision”

Article 45 of the GDPR is central to the July 16, 2020, ruling by the CJEU. Article 45 states, in part, “a transfer of personal data to a third country or international organization may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organization in question ensures an adequate level of protection.”

Consequently, the CJEU in its landmark judgement on July 16, 2020, invalidated the EU-U.S. Privacy Shield Framework as a viable cross-border data transfer mechanism under the GDPR as it does not offer an adequate level of protection to the personal data of individuals located in the EU. The CJEU discussed in its decision that compliance with the principles of the EU-U.S. Privacy Shield Framework may be limited by the surveillance activities of the various national security programs of the United States.

Post Privacy Shield: A Focus on Standard Contractual Clauses and Other Viable Mechanisms

Although the July 16, 2020, ruling by the CJEU has invalidated the EU-U.S. Privacy Shield Framework, it did not specifically invalidate the use of standard contractual clauses (SCC) as a potential mechanism for transfers of personal data to a third country. However, the CJEU provided a case-by-case analysis is necessary to determine if the country receiving the personal data ensures a level of protection essentially equal to the requirements under EU law.

This case-by-case analysis will need to examine supplementary measures along with the SCC to determine if the circumstances surrounding a proposed transfer ensure U.S. law does not diminish or infringe upon the adequacy of the required protection for personal data.

Additionally, there is a new focus on other viable mechanisms and contractual language that could be put into practice through binding corporate rules – or derogations as a last resort.

As organizations renew their focus on SCCs and other potential data transfer mechanisms authorized by the GDPR, they should also inventory and catalog their personal data transfers, so that they can assess each category of personal data transfer to effectively plan their implementation of a lawful data transfer mechanism.

Privacy Compliance

In light of the Privacy Shield ruling, organizations should consider ISO 27701, a recently created standard for implementing a privacy information management system (PIMS) as an extension to an existing information security management system (ISMS). Although ISO 27701 has not been recognized as a certifying standard for the GDPR and does not equal compliance with the GDPR, it will provide a solid foundation in security and privacy upon which a company can build a comprehensive privacy program to protect personal data and demonstrate accountability as required by the GDPR Services.


Have questions on how ISO 27701 can help you demonstrate trust to your stakeholders? Speak with a qualified assessor today by emailing [email protected] or calling 888-702-5446.