CJEU strikes down EU-US Privacy Shield

21 July, 2020

On the 16th of July 2020 the Court of Justice of the European Union (“CJEU”) declared the EU-US Privacy Shield agreement (the “Privacy Shield”) invalid on the basis that it did not sufficiently protect the personal data of European citizens to the standard required by EU 2016/679 General Data Protection Regulation (the “GDPR”).  

Under the GDPR, the transfer of personal data to a third country may, in principle, take place only if the third country in question ensures an adequate level of data protection.  The Privacy Shield, a self-certification framework implemented in 2016, was intended to provide such a mechanism through which personal data could be lawfully transferred from the European Union to the USA.

This decision, however, will impact the transfer of personal data from EU countries to the USA and will have significant implications for businesses previously relying on the Privacy Shield to transfer EU personal data to the USA.   An alternative mechanism for the transfer of personal data is the standard contractual clauses (“SCCs”) approved by the European Commission. 

While the CJEU in its judgment reaffirmed the validity of the SCCs, it also highlighted that the relevant data protection commissioners and the companies in question must ensure that the law in the non-EU country ensures adequate protection for the personal data transferred under the SCCs and if it does not, the companies concerned must provide additional safeguards or suspend transfers.

The judgment has garnered mixed reactions on both sides of the Atlantic, with the US Department of Commerce expressing their disappointment but saying it will be liaising with the European Commission on how best to limit the negative consequences. The Computer and Communications Industry Association (a lobby group for US tech companies) criticised the decision “which creates legal uncertainty for the thousands of large and small companies on both sides of the Atlantic”.

Strongly welcoming the decision, the Irish Data Protection Commission (“DPC”) stated: “Today’s judgment provides just that, firmly endorsing the substance of the concerns expressed by the DPC (and by the Irish High Court) to the effect that EU citizens do not enjoy the level of protection demanded by EU law when their data is transferred to the United States.”  The DPC in its statement went on to acknowledge its central role (together with the other supervisory authorities across the EU) in developing a common position within the EU, to give meaning and practical effect to the CJEU decision.

This decision forms part of the case taken against Facebook in the Irish courts by Max Schrems, an Austrian privacy campaigner.  The Privacy Shield had replaced the EU US Safe Harbor framework which too was struck down in 2015 on foot of a similar complaint by Mr. Schrems.

In light of this decision, companies relying on the Privacy Shield in the context of its trans-Atlantic transfers and further processing of EU personal data must now implement appropriate measures (such as the SCCs) to ensure such transfers are lawful and indeed to ensure compliance with the requirements of the GDPR.

This note is for general information purposes and does not constitute legal advice. Legal advice must be obtained for all individual circumstances. Each case must be assessed on its own merits

About The Authors


Laura Myles

Laura Myles is the Head of Technology and IP at Flynn O’Driscoll Business Lawyers with 25 years’ experience in intellectual property and technology law and practice….

View Profile


Áine Moloney

Áine joined the Corporate and Commercial team at Flynn O’Driscoll in May 2019. Prior to joining the firm, she trained and worked in a mid-sized firm in Dublin, and gained experience in both commercial and civil……

View Profile


Nolene Treacy

Nolene graduated from the National University of Ireland, Galway in 2014 with an honours Bachelor of Corporate Law degree and an honours Postgraduate LLB degree…….

View Profile

Translate »