Today, July 16th 2020, the European Court of Justice declared the Privacy Shield invalid. The Privacy Shield is an agreement between the EU and the US, which stipulates that if an organization in the US has joined the Privacy Shield, there is adequate protection of privacy. This means that under the Privacy Shield the transfer of data of European citizens to companies based in the US is allowed. The protection of the rights and freedoms of those European citizens would then be sufficiently guaranteed. This is not the case! In the judgment of the European Court of Justice it has been determined that this protection is not present and that the Privacy Shield is therefore invalid. The transfer of personal data to the US on the basis of Standard Contractual Clauses (SCC) remains valid.
The reasons for invalidity
The ruling of the European Court is the outcome of the court case that Max Schrems conducted against Facebook Ireland. Earlier, in 2015, Safe Harbor was declared invalid. That was the predecessor of the Privacy Shield. The Privacy Shield itself is now also invalid. The Court mentions as the most important reasons that the restrictions on privacy that follow from US regulations are insufficiently demarcated and disproportionate and therefore constitute too great an invasion of privacy. This concerns the internal regulations on surveillance on the basis of which US government agencies have almost unlimited access to personal data processed by US companies. In any case, there is no limitation to what is strictly necessary. The American way of working is therefore in direct conflict with the principles of the General Data Protection Regulation (GDPR).
In addition, there is no possibility for a citizen to exercise his or her rights. There are no appeal possibilities and there is insufficient transparency. This means that there is a lack of legal protection and no control over the correctness of processing operations. But a citizen can also not take action against a breach of his or her privacy rights.
The impact of this statement is considerable. Many organizations refer to the Privacy Shield when using international suppliers of services or software. And of course there are many cloud services to which this applies. The transfer of certain personal data to the US would be lawful with the connection to the Privacy Shield. That is no longer the case. However, there is an alternative on which the Court has also ruled, namely the Standard Contract Clauses (SCC). These remain valid, which means that an agreement based on these provisions can offer the necessary safeguards. However, the question is whether this also applies to transfers to the US or China. After all, the party to whom the data is transferred must guarantee that the safeguards actually apply. And that is precisely not the case.
This leaves only Binding Corporate Rules (BCR) as an alternative. But these are only suitable for large international companies, so not just for every organization. And if you want to have BCR approved, there is currently a waiting list of about 5 years at the Dutch Data Protection Authority ....
Conclusion: at the moment there does not seem to be an adequate solution available. With regard to the ruling of the European Court of Justice, it seems best to build on the SCC. But as long as the US does not change its surveillance regulations, there will be a lack of adequate protection for citizens whose data is transferred to the US.