The European Union Court of Justice (ECJ) ruled Thursday that the Privacy Shield agreement used for transferring European Union (EU) user data to companies in the US is invalid. The decision is a significant blow to tech companies in both the EU and the US.
The court annulled a 2016 decision in which the European Commission had held that the United States provides an adequate level of protection under the Privacy Shield agreement for the transfer of personal data from the European Union to the United States. In 2018, the EU instituted the General Data Protection Regulation (GDPR), a central instrument on privacy and data protection. Using the GDPR as guidance, the ECJ held that the quality of protection offered by the Privacy Shield does not meet the standard of protection guaranteed to EU citizens.
The objective behind the Privacy Shield Framework had been to provide companies with a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States. The Privacy Shield agreement was set up in 2016 after ECJ invalidated the previous Safe Harbour agreement in 2015. Both the complaints against the policies have been brought by the Austrian data protection activist Max Schrems.
In its decision, the ECJ also confirmed the validity of another data transfer mechanism known as Standard Contractual Clauses (SCCs). Companies will be able to utilize the SCC system until a new framework is designed.