EU Law

Privacy Shield invalidated – what about EU data now?

It happened. Finally, the European Union has taken the protection of the personal data of its citizens seriously.  The  Privacy Shield has been invalidated which means the end of EU citizens’ personal data uncontrolled legal drain not only in US, but outside of EU in general. All thanks to an Austrian activist who I has disliked for years what Facebook does with his and your personal data. And the EU  Court of Justice (CJEU) judgment issued on the 16th of  July 2020, case C-311/18. Now, what does this judgment actually mean in practice?






The Privacy Shield invalidated is Facebook's fault
Facebook is watching you…













To begin with, the Judgment of the CJEU is a result of the dispute between Facebook and an Austrian activist fighting for the protection of the EU citizens’ personal data, Maximillian  Schrems.   

Maximilian particularly dislikes Facebook’s policy in this regard, and it is safe to say that he has been arguing with the American giant for years now.

On June 25, 2013 (seven years ago), our brave activist demanded that the Irish Personal Data Protection Authorities prohibited Facebook Ireland from transferring his personal data to the US.  I wrote about how Facebook works in Europe in my post about how, after installing just one, small Facebook plugin, you can become an inadvertent co-controller of your website  visitors’  personal data.

In any case, the personal data of European Facebook is transferred in whole or in part to the servers of Facebook, Inc., located in the United States of America.

According to Mr. Schrems,  US law and practice does not provide sufficient protection for his personal data against activities carried out by US public authorities.   In case  C-311/18, the CJEU shared Mr. Schrems’ opinion and  invalidated   EU Commission decision on the US Privacy Shield.

The verdict is 78 pages long. It is available in all EU spoken languages and I do recommend you read it yourself although this is not exactly a light  reading.

In addition, the position and guidelines for this judgment issued by the European Data Protection Board  (EDPB) are  also  very  important.

So now let’s answer a question what the hell the Privacy Shield is?





The privacy Shield invalidated and what next











The Privacy Shield is an  agreement between the European Union and the United States. Both parties specified in there conditions to be met by US companies and other economic operators in order to be able to process EU citizen’s   personal data.   However, the whole Privacy Shield framework was based on self-certification.   That is, a US company simply notified a relevant US public administration representative that  this company  meets the data protection requirements of the EU-US Privacy Shield Agreement.

And that’s it.

 The Privacy Shield agreement was approved by the EU Commission, by the Decision No. 2016/1250.

The idea  of the Privatization  Shield was  that these self-certified US data operators would provide “adequate” protection for EU citizen’s personal data once it is transmitted to USA.  However, “adequate”  was understood to be at least identical to the level of personal data protection guaranteed in EU.





Captain America is watching you











Unfortunately, according to the CJEU, certificates for US companies under the Privacy Shield programme do not guarantee adequate protection of the personal data of EU citizens. 


In a nutshell, when personal data is transferred to the US, it is  subjected to US law onwards, and these laws, according to the EU Court, do not guarantee adequate protection of EU citizens’  personal data.

The Privacy Shield agreement states that compliance with the principles of personal data protection may be limited to  the extent necessary to meet national securitypublic interest, or law enforcement .

After examining the current US legislation in this regard,  the CJEU concluded that the US public administration has to great possibility to access and process EU citizens’ personal data one this data is transferred to the USA and therefore, the  requirements set forth in the article 45 of the GDPR are not met. Consequently,  the Privacy Shield program does not  guarantee identical level of protection for personal data  transferred to US from EU as such data has in EU.

In this case,  a declaration  to  have the  Privacy Shield invalidated was the only logical outcome.

This means that  it has stopped matter if an American company is  under the Privacy Shield program hence such a certification is legally  irrelevant at the moment.  The Privacy Shield self-certification  is no longer sufficient to consider the transfer of personal data of EU citizens to the US as legal according to EU laws.





data flow











The judgment in Case C-311/18 has consequences not only for the transfer of personal data of EU citizens to the United States.  In general, the Court set out the principles it considers to be minimal in order to talk about the lawful transfer of personal data from the EU outside the Union. 

What’s  the most important, according to the rules stated by the Court,  even the EU approved Standard Contractual Clauses (SCC) or  Biding Corporate Rules (BCR)  do not protect personal data exporters and importers from breaching  GDPR.

Which  raises a question: what to do now?

I shall get back to this in my next post.

Yours, Prawstoria

Powiązane artykuły

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button