CEP Magazine (October 2020)
On July 16, the Court of Justice of the European Union declared the European Commission’s July 2016 decision on the adequacy of the privacy protection provided by the EU-US Privacy Shield as invalid.[1] As a result, the EU-US Privacy Shield framework is no longer a valid mechanism to comply with General Data Protection Regulation (GDPR) requirements when transferring personal data from the European Union to the United States. The decision does not, however, relieve participants in the EU-US Privacy Shield of their obligations under the framework.
The court found that US surveillance tactics are in conflict with rights granted to European citizens under GDPR and, therefore, the mechanism developed for data exchanges. In a statement given to media after the decision was made public, Max Schrems, a privacy activist and party to the case, explained some of the reasoning behind the court’s judgment:
“‘The Court clarified for a second time now that there is a clash between EU privacy law and US surveillance law. As the EU will not change its fundamental rights to please the NSA, the only way to overcome this clash is for the US to introduce solid privacy rights for all people – including foreigners. Surveillance reform thereby becomes crucial for the business interests of Silicon Valley.’”[2]