The European Court of Justice (ECJ) today invalidated the EU-US privacy agreement “EU-US Privacy Shield”. The background to the decision is a complaint by Austrian lawyer and data protection activist Max Schrems.
asdfasHe had complained to the Irish data protection authority that Facebook Ireland had forwarded its data to its parent company in the United States. The complaint was based on the fact that Facebook is obliged in the United States to make the data available to US authorities such as the NSA and the FBI without the data subjects being able to object.
The ruling is likely to have a drastic impact on many companies within the EEA and in Switzerland that have placed their trust in the EU-US Privacy Shield, as the transfer of personal data to the United States is now lacking a legal basis in many cases. It remains to be seen whether this decision will also have an impact on the "Swiss-U.S. Privacy Shield", for which companies from the United States were able to obtain certification since April 12, 2017.
According to Regulation (EU) 2018/1725, an international transfer of personal data may only take place if there is adequate protection of the fundamental rights of the data subjects with regard to data protection in the recipient country. Until 20 July 2000, transfers to US institutions that have joined the Safe Harbor regime were considered adequate under European Commission Decision 2000/520/EC. However, this adequacy decision was declared invalid by the European Court of Justice on October 6, 2015, so that no further transfers to the United States can be made on this basis. In February 2016, the European Commission and the United States agreed on a new framework for transatlantic data transfers. The so-called "EU-US Privacy Shield" replaced the safe harbor regime, which led to the formal adoption on July 12, 2016 of a new European Commission adequacy decision for transfers to U.S. entities that have joined the EU-US Privacy Shield.