Responding to news that the European Court of Justice (ECJ) has declared the EU-US Privacy Shield, which regulates transatlantic exchanges of personal data, to be invalid, Miriam Everett, global head of data and privacy at Herbert Smith Freehills, has said “the decision will be a big blow to many businesses in the US who have worked hard to ensure personal data can be sent to them from Europe without restriction.”
The judgment follows a case brought by an Austrian national concerned about adequate protection of his personal data. In its judgment, although the ECJ ruled that data ‘must be afford a level of protection essentially equivalent’ to the GDPR, it noted that the standard contractual clauses remain valid.
Commenting on the ruling, Everett says:
“A number of the ‘big tech’ companies are registered with the Privacy Shield, and today’s judgment means that many European businesses relying on Privacy Shield to be able to send data to those companies will now need to scramble to put an alternative in place.
“However, the decision will still be a huge relief for the thousands of businesses throughout Europe that currently rely on the standard contractual clauses contracts to be able to send data to group companies, service providers and other third parties, in the US and across the globe.
“Yet there remains a fairly significant sting in the tail. In what perhaps can be seen as a compromise between the politics and the legal issues of this case, the court has confirmed the obligation on both businesses and regulators to evaluate the data protection regime in any country that is receiving data from Europe. The upshot seems to be, if there is a mass government surveillance regime then data should not be sent. Quite what that means for data transfers to the US which were the subject of the complaint in this case, or how companies should comply in practice is left unclear.