Jul 11, 2020 | Articles, Cyber Security, GDPR, ISO

Is Privacy Shield all but dead?

Howard Freeman

Howard Freeman

Commission conducting ‘preparatory work’ should ECJ invalidate privacy shield

The European Commission is preparing for the eventuality that the European Court of Justice (ECJ) may invalidate the EU-US data transfer agreement know as the Privacy Shield. The agreement is under threat according to Justice Commissioner Didier Reynders.

The long-awaited case is all about whether Standard Contractual Clauses (SCCs) can be used to transfer data outside the EU. In this case, the question is whether they are a legitimate way of transferring data to legal regimes. However. they must respect EU data protection laws at the same time. The case comes to court on 16th July when the ECJ will rule.

Is Privacy Shield all but dead?

By extension, the ECJ might adopt a position on the validity of the Privacy Shield agreement. This is the mechanism used for transferring personal data between the EU and the US.

Not the first time

Notably, this is not the first-time judges at the highest court in Europe have invalidated an EU-US data framework. In 2015, the nullification of the 2015 Safe Harbour agreement took place. Eventually this would lead to the creation of the Privacy Shield.

EU’s Justice Chief Didier Reynders was speaking as part of a Brussels videoconference event on Tuesday (30 June). He was asked about the measures the Commission was considering should the Privacy Shield agreement be invalidated.

Reynders said the Commission was conducting “preparatory works about the different possibilities that will result from the decision of the court.”

Speaking about this he said, “We don’t have one plan, but we have some ideas about the different ways to give an answer, following the scope of the decision of the court,” he added. Reynders was keeping his cards close to his chest about how the Commission would react to a legal invalidation of the Privacy Shield.

In December. a non-binding opinion from the ECJ was given. The ECJ found that the Commission’s standard contractual clauses were valid. Opinions issued by the court are normally good indications on how final rulings turn out.

The case comes following a legal challenge from Austrian privacy activist, Max Schrems. He believes that the Commission’s standard contractual clauses do not adequately protect EU citizen’s privacy.

If there isn’t an adequacy agreement in place between the EU and a third country then, these agreements are used. This is in an attempt to provide sufficient data protection safeguards. Tech giants such as Facebook and thousands more businesses worldwide use SCC’s.


The court will rule next week. If found in favour of Schrems, the move could have profound consequences for many firms including Facebook. Data flows operate between many EU and non-EU businesses. The ruling could oblige firms to stop or potentially face hefty fines.

However, the Advocate General questioned the legitimacy of the agreement. There were reasons that lead him to question the validity of the ‘privacy shield’ decision. The right to respect for private life and the right to an effective remedy must exist. It is clear that Privacy Shield does not provide an effective remedy.

The development of the Safe Harbour principles prevent businesses from losing or accidentally revealing personal data. Previously, in 2015, Schrems successfully mounted a legal challenge over the principles.

The Safe Harbour agreement invalidation stemmed from an opinion issued to the court by ECJ Advocate General Yves Bot. He added that individual data protection authorities could suspend data transfers to other countries. If data protection rights breaches come to light, suspension is possible.

So, the court will deliver the ruling on the case on 16th July. The case details are C-311/18, Facebook Ireland and Schrems.

Privacy Shield and your business

How does this change affect your business? Firstly, if you routinely store data in America, you may want to talk to us. Secondly, if you are storing client data in Google sheets. Thirdly, if the hosting of your web site is in the USA and you harvest data through it. Finally, the location of your CRM data will need to considered and perhaps changed. Your business practices will have to change if the ruling sees privacy shield invalidated.

Equally important, if you have a Data Asset Register then you will have all this information recorded. If you haven’t then it is time to think about it. Coupled with this is your Data Flow Map which illustrates your flow of data? Moreover, how will this change the risk to the data in your business? Call us today for a complimentary review. You can book one here. You can learn more about the services we offer here.

In conclusion, this could be one of the biggest changes to European data law since the GDPR came into force. Businesses will feel the impact in Europe and in America from social media giants to businesses like yours and mine.


Can we help?