ECJ declares data protection agreement "Privacy Shield" between EU and USA invalid

The European Court of Justice has declared the "Privacy Shield" data protection agreement between the EU and the USA to be invalid (ECJ ruling of 16.07.2020, C-311/18). This has far-reaching consequences for transatlantic business transactions.

Already in 2015, the ECJ had overturned the Safe Harbor regulation, the predecessor of the Privacy Shield Agreement.

The Privacy Shield was intended to guarantee the level of protection of the European Data Protection Regulation (DSGVO) when transferring personal data from the EU to the USA. US companies therefore had to be certified as recipients of protected data.

This is now to be examined:

1.       What data processing takes place in the USA and whether it has been authorized to date on the basis of your US business partner's Privacy Shield certification.

2.       These business partners should be contacted in order to clarify which legal alternatives can be considered in order to continue processing data in the USA. These are, for example:

a) so-called standard contractual clauses:

These are model contracts provided by the EU. We would be pleased to advise you on the selection of the appropriate contract and the further procedure.

b) so-called Binding Corporate Rules:

These are binding corporate guidelines to ensure a level of protection for data transmission that complies with the German Data Protection Act (DSGVO).

It should be noted, however, that this is a lengthy process and requires the approval of the competent data protection supervisory authority.

c) Relocation of the data processing to the EU or to another third country

As a last resort, consideration should therefore be given to relocating the data processing to the EU or another safe third country (such as Japan, Israel, Switzerland, Argentina, Canada, New Zealand or Uruguay) in order to effectively deal with the problem.

3.       After the procedures have been adapted, the data protection declarations must be adapted accordingly, insofar as these inform that data processing is taking place in the USA with a business partner certified by the Privacy Shield. The new legal basis for the transfer of data must then be stated there.

The same applies to your internal procedural documentation and concluded contract processing agreements, e.g. hosting, software as a service, etc., if a US contract processor or US subcontractor has been engaged.

Since the decision of the European Court of Justice has considerable EU-wide implications, it can be assumed that the data protection supervisory authorities will grant the companies concerned a transitional period to adjust their processes before regulatory measures are threatened. This was also the case after the decision on the invalidity of the Safe Harbor Agreement.

However, it remains to be seen whether this postponement will also apply to competition law warnings by competitors or other associations. Therefore a prompt solution should be found.

Our competence team "Company and Economy" will be happy to advise you.


Your contact person:

Tim Schwarzburg
Specialist lawyer for labor law

Specialist lawyer for commercial and corporate law