Skip to content

The Court of Justice of the European Union (CJEU) declares invalid a decision of the European Commission which attested that the EU-U.S. Privacy Shield provided adequate protection to personal data transferred from the EU to the U.S., if the receiving party had self-certified its adherence to the Privacy Shield Principles. At the same time, the CJEU clarifies that the so-called standard contractual clauses (SCC) may still be used – with important caveats.

Overlaying this ruling is a genuine concern among multi-national organizations, many of which being Israel-based companies, that privacy commissions throughout the EU may eventually elect to prohibit all personal data transmissions to the U.S. until a more comprehensive data privacy program is adopted by the U.S. government.  With developments set to occur over the next few months between the EU and the U.S., broad implications are to be expected for companies doing business all over the world.

For more information, please contact Tel Aviv Shareholder, Adam Snukal.

The Verdict’s Massive Impact

The ruling has an impact on (a) more than 5,000 companies in the United States that have self-certified under the Privacy Shield mechanism, and (b) an undefined number of companies outside the United States that relied on the recipients’ Privacy Shield self-certification to comply with the strict EU data protection laws.

Reasoning Behind the Annulment

As in the case of the Privacy Shield’s predecessor (the “U.S.-EU Safe Harbor Framework”), which was overturned by the CJEU in 2015, the CJEU criticizes the fact that neither U.S. law nor the Privacy Shield provides for effective remedies against the far-reaching rights of U.S. intelligence services. Therefore, the Privacy Shield does not meet the strict requirements of EU data protection law. The CJEU also found that the Privacy Shield ombudsman role was ineffective for providing EU data subjects an adequate level of protection or appropriate redress.

The Good News: CJEU Approved the SCC (Processors)

Fortunately, today’s ruling explicitly approves the general validity of the SCC (Standard Contractual Clauses) per se, but does leave them open to be challenged in the future. However, the CJEU stresses that the parties to the transfer are responsible for assessing on a case-by-case basis whether the SCC constitute a suitable mechanism to justify the transfer in question or not.

Depending on the laws and regulations of the country of destination, compliance with the SCC may require additional measures to be taken by the parties to secure the personal data subject to the GDPR. The CJEU emphasizes that the parties must immediately refrain from transferring data if its adequate protection cannot be ensured. If the parties, nevertheless, continue to base their processing on the SCC, then according to the CJEU, the competent EU supervisory authority must suspend or prohibit the transfer. In doing so, it should involve the European Data Protection Board, where appropriate, to ensure consistency of decisions across the EU.

What Now?

Companies that are subject to the GDPR should consider (i) their data flows to the U.S., (ii) the respective legal mechanism for such transfers to the U.S., and (iii) if the EU-U.S. Privacy Shield is the current transfer mechanism, put in place a legitimate transfer mechanism for such activities.

Even where data transfers are based on SCCs and are made to non-EU states other than the U.S., organizations should assess that the undertakings in the SCC are met throughout their term. Any changes required by the above may also need to be reflected in the company’s privacy policy, records of processing activities, etc.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dr. Viola Bensinger Dr. Viola Bensinger

Viola Bensinger is Global Co-Chair of the Greenberg Traurig’s IP & Technology Practice Group and the Global Data Privacy & Cybersecurity Practice, and also chairs the Technology Practice in Germany. She advises clients from the technology, media, health care, automotive and other industries.

Photo of Greenberg Traurig Greenberg Traurig

Kate Black’s practice focuses on data privacy, information protection, and commercial transactions in consumer technology, digital health, life sciences, and genetics. Kate provides companies with comprehensive, practical strategies for meeting their regulatory obligations while building and maintaining public trust and advancing innovative and…

Kate Black’s practice focuses on data privacy, information protection, and commercial transactions in consumer technology, digital health, life sciences, and genetics. Kate provides companies with comprehensive, practical strategies for meeting their regulatory obligations while building and maintaining public trust and advancing innovative and emerging models of health care research and delivery. She’s managed every aspect of global privacy programs, including supervising privacy assessments, providing product strategy and counseling, managing complex vendor and partner agreements, and overseeing security policy audits for leading health technology companies. She regularly advises on proposed regulatory and legislative changes that will impact the health technology environment and has been a featured speaker and frequent lecturer on data privacy and cybersecurity, data analytics, digital health, mobile medical applications, and privacy issues related to genetic and health research.

Prior to joining the firm, Kate served as 23andMe’s first Global Privacy Officer in Mountain View, CA and worked in the Office of Policy and Planning in the Office of the National Coordinator for Health IT in the U.S. Department of Health and Human Services in Washington, D.C.

Photo of Marijn Bodelier Marijn Bodelier

Marijn Bodelier focuses on public law, environmental law, and real estate. Marijn has particular experience with respect to project developments, permitting, enforcement, sustainability, renewable energy projects and regulatory compliance. Marijn is Co-Chair of GT’s global Hydrogen Group.

Marijn has a seat in the

Marijn Bodelier focuses on public law, environmental law, and real estate. Marijn has particular experience with respect to project developments, permitting, enforcement, sustainability, renewable energy projects and regulatory compliance. Marijn is Co-Chair of GT’s global Hydrogen Group.

Marijn has a seat in the appeals committee of the city of Alkmaar, he is a guest lecturer at Groningen University, and a regular author of in Dutch legal journals on public law, environmental law and regulatory matters. He completed his master’s degree in Law at Maastricht University cum laude and finished the post-graduate education Environmental and Planning Law of the Grotius Academy cum laude in 2012. He is an active member of the Dutch Environmental Attorneys’ Association (Vereniging van Milieurecht Advocaten).

According the 2022 edition of The Legal 500, “Marijn Bodelier is easily accessible, acts quickly and provides sound advice with regard to the public law aspects.”

Photo of Adam Snukal^ Adam Snukal^

Adam Snukal’s practice is primarily focused around the centrality of technology across many verticals and industries, with an emphasis on health care, FinTech, privacy, cyber-security, Ad-Tech, entertainment, IT/cloud infrastructure, outsourcing and Aerospace/ New Space. Mr. Snukal also regularly counsels clients on their global…

Adam Snukal’s practice is primarily focused around the centrality of technology across many verticals and industries, with an emphasis on health care, FinTech, privacy, cyber-security, Ad-Tech, entertainment, IT/cloud infrastructure, outsourcing and Aerospace/ New Space. Mr. Snukal also regularly counsels clients on their global privacy and data security compliance obligations, such as GDPR, HIPAA, CCPA, PCI, and more. Mr. Snukal’s clients range from large multi-nationals to emerging growth companies.

Mr. Snukal is both a frequent speaker and author of numerous articles on topics related to technology, advertising, media and the law.

^ Attorneys in the Tel Aviv office do not practice Israeli law.
Photo of Alan N. Sutin Alan N. Sutin

Alan N. Sutin is Chair of the firm’s Technology, Media & Telecommunications Practice and Senior Chair of the Global Intellectual Property & Technology Practice. An experienced business lawyer with a principal focus on commercial transactions with intellectual property and technology issues and privacy

Alan N. Sutin is Chair of the firm’s Technology, Media & Telecommunications Practice and Senior Chair of the Global Intellectual Property & Technology Practice. An experienced business lawyer with a principal focus on commercial transactions with intellectual property and technology issues and privacy and cybersecurity matters, he advises clients in connection with transactions involving the development, acquisition, disposition and commercial exploitation of intellectual property with an emphasis on technology-related products and services, and counsels companies on a wide range of issues relating to privacy and cybersecurity. Alan holds the CIPP/US certification from the International Association of Privacy Professionals.

Alan also represents a wide variety of companies in connection with IT and business process outsourcing arrangements, strategic alliance agreements, commercial joint ventures and licensing matters. He has particular experience in Internet and electronic commerce issues and has been involved in many of the major policy issues surrounding the commercial development of the Internet. Alan has advised foreign governments and multinational corporations in connection with these issues and is a frequent speaker at major industry conferences and events around the world.

Photo of Carsten A. Kociok Carsten A. Kociok

Carsten Kociok focuses his practice on the technology industry. He has broad experience in the areas of Internet, information technology, electronic and mobile payments and new media, as well as regulatory and data protection law issues.

Carsten advises national and international companies from

Carsten Kociok focuses his practice on the technology industry. He has broad experience in the areas of Internet, information technology, electronic and mobile payments and new media, as well as regulatory and data protection law issues.

Carsten advises national and international companies from the Internet, payments and technology industries on the commercial and regulatory side of their business, in particular in the areas of e-commerce and e-business, electronic and mobile payments, service distribution, franchising, outsourcing and technology transactions. This includes all aspects of e-money and payments law, financial services law, data protection and data security regulations, money laundering obligations as well as marketing, unfair competition, consumer protection and general contract law.

Prior to joining the firm, Carsten worked at Olswang for eight years and in the Capital Transaction Practice Group of an international law firm in New York.

Photo of Greenberg Traurig Greenberg Traurig

Jacomijn Christ focuses her practice on corporate law, data protection, antitrust, environmental law and real estate. Jacomijn advises on public law aspects in transactions, has experience with regulatory and data protection law issues, and has dealt with environmental and real estate related cases.

Jacomijn Christ focuses her practice on corporate law, data protection, antitrust, environmental law and real estate. Jacomijn advises on public law aspects in transactions, has experience with regulatory and data protection law issues, and has dealt with environmental and real estate related cases.

Jacomijn is also involved in GT’s China practice in Europe in this capacity, and has experience in working with Chinese mainland clients across a wide-range of sectors, including manufacturing, sales, technology and e-commerce.

Photo of Darren Abernethy Darren Abernethy

Darren J. Abernethy is an ad tech, data privacy and cybersecurity attorney with more than a decade of experience, including in Am Law private practice in Washington, D.C. and as in-house counsel at startups and a leading privacy technology vendor. He advises clients

Darren J. Abernethy is an ad tech, data privacy and cybersecurity attorney with more than a decade of experience, including in Am Law private practice in Washington, D.C. and as in-house counsel at startups and a leading privacy technology vendor. He advises clients on matters related to digital advertising, privacy law compliance, data breach management, M&A, and FTC best practices.

Darren’s concentrations include data-driven marketing campaigns, the California Consumer Privacy Act (CCPA) and other U.S. state privacy laws, the European Union General Data Protection Regulation (GDPR)/ePrivacy, direct marketing, and IP-related transactional matters.

Photo of Luigi Fontanesi Luigi Fontanesi

Luigi Fontanesi represents clients on judicial and non-judicial matters in the fields of industrial law, intellectual property, trademarks, advertising, unfair competition, information technology, privacy, and media, as well as commercial issues related to company reorganization and insolvency law.

Luigi has deep experience in…

Luigi Fontanesi represents clients on judicial and non-judicial matters in the fields of industrial law, intellectual property, trademarks, advertising, unfair competition, information technology, privacy, and media, as well as commercial issues related to company reorganization and insolvency law.

Luigi has deep experience in drafting, negotiating, and setting up domestic and international franchising; master franchising, merchandising, distribution, research; and licensing contracts concerning trademarks, patents, software, register design, industrial design, and know-how.

Photo of Dr. Johanna Hofmann Dr. Johanna Hofmann

Johanna Hofmann advises German and international companies and groupt of companies on all questions of data protection and IT security law. The focus of her work is on the data protection-compliant structuring of existing and future business relationships, both on a national and…

Johanna Hofmann advises German and international companies and groupt of companies on all questions of data protection and IT security law. The focus of her work is on the data protection-compliant structuring of existing and future business relationships, both on a national and international level. Her field of interest lays in particular in the field of cloud computing, data protection certification and data security management. Through long-term secondments at a German group of companies and at the German subsidiary of a US-American technology group, Johanna has gained deep insights into different kinds of group-wide data protection organizations.

Before joining Greenberg Traurig Johanna worked with CMS Hasche Sigle in Munich for over two years. Prior to this, for several years she was a member of the project group for constitutionally compatible technology design and was in charge of an interdisciplinary research project on the dynamic data protection and IT security certification of cloud computing services.

Photo of Greenberg Traurig Greenberg Traurig

Willeke Kemkers is a member of the IP / Tech department of Greenberg Traurig’s Amsterdam office. She focuses on a broad range of intellectual property issues, including proceedings, drafting of (commercial) contracts and providing of advice regarding transactions (mergers and acquisitions). Willeke also

Willeke Kemkers is a member of the IP / Tech department of Greenberg Traurig’s Amsterdam office. She focuses on a broad range of intellectual property issues, including proceedings, drafting of (commercial) contracts and providing of advice regarding transactions (mergers and acquisitions). Willeke also has deep knowledge of EU e-commerce regulations and regularly counsels clients with respect to the interpretation and application of the relevant laws.

Furthermore, Willeke counsels clients on a wide range of privacy issues such as data processing agreements, cross-border transfers of data, privacy policies and data breaches. With respect to the coming into force of the GDPR, Willeke prepared clients from many different industries (transport, medical, legal) to be GDPR compliant.

Willeke also has experience with drafting and reviewing of IT contracts including hosting (cloud), outsourcing (SaaS, Iaas and Paas) and IT development contracts.

Photo of Ewen Mitchell Ewen Mitchell

Ewen Mitchell is an intellectual property and data protection consultant based in the London office. He advises clients on all aspects of IP and data protection law, with a focus on IP dispute resolution, strategic IP advice, and the IP aspects of international…

Ewen Mitchell is an intellectual property and data protection consultant based in the London office. He advises clients on all aspects of IP and data protection law, with a focus on IP dispute resolution, strategic IP advice, and the IP aspects of international transactions. He has practised in England and France.

He also frequently advises EU and other businesses on compliance with the EU and UK General Data Protection Regulations (GDPR) including arrangements for international transfers of personal data, and the data protection aspects of corporate transactions.

Ewen’s previous experience includes trade mark filing and prosecution, and trade mark design and patent litigation before the English High Court and Court of Appeal and the Tribunal de Grande Instance, Paris.

Ewen’s work and experience spans all sectors, but he has particular experience in the pharmaceutical, medical device, motor vehicle, online, and mobile technology sectors.