Skip to content

The Court of Justice of the European Union (CJEU) declares invalid a decision of the European Commission which attested that the EU-U.S. Privacy Shield provided adequate protection to personal data transferred from the EU to the U.S., if the receiving party had self-certified its adherence to the Privacy Shield Principles. At the same time, the CJEU clarifies that the so-called standard contractual clauses (SCC) may still be used – with important caveats.

Overlaying this ruling is a genuine concern among multi-national organizations, many of which being Israel-based companies, that privacy commissions throughout the EU may eventually elect to prohibit all personal data transmissions to the U.S. until a more comprehensive data privacy program is adopted by the U.S. government.  With developments set to occur over the next few months between the EU and the U.S., broad implications are to be expected for companies doing business all over the world.

For more information, please contact Tel Aviv Shareholder, Adam Snukal.

The Verdict’s Massive Impact

The ruling has an impact on (a) more than 5,000 companies in the United States that have self-certified under the Privacy Shield mechanism, and (b) an undefined number of companies outside the United States that relied on the recipients’ Privacy Shield self-certification to comply with the strict EU data protection laws.

Reasoning Behind the Annulment

As in the case of the Privacy Shield’s predecessor (the “U.S.-EU Safe Harbor Framework”), which was overturned by the CJEU in 2015, the CJEU criticizes the fact that neither U.S. law nor the Privacy Shield provides for effective remedies against the far-reaching rights of U.S. intelligence services. Therefore, the Privacy Shield does not meet the strict requirements of EU data protection law. The CJEU also found that the Privacy Shield ombudsman role was ineffective for providing EU data subjects an adequate level of protection or appropriate redress.

The Good News: CJEU Approved the SCC (Processors)

Fortunately, today’s ruling explicitly approves the general validity of the SCC (Standard Contractual Clauses) per se, but does leave them open to be challenged in the future. However, the CJEU stresses that the parties to the transfer are responsible for assessing on a case-by-case basis whether the SCC constitute a suitable mechanism to justify the transfer in question or not.

Depending on the laws and regulations of the country of destination, compliance with the SCC may require additional measures to be taken by the parties to secure the personal data subject to the GDPR. The CJEU emphasizes that the parties must immediately refrain from transferring data if its adequate protection cannot be ensured. If the parties, nevertheless, continue to base their processing on the SCC, then according to the CJEU, the competent EU supervisory authority must suspend or prohibit the transfer. In doing so, it should involve the European Data Protection Board, where appropriate, to ensure consistency of decisions across the EU.

What Now?

Companies that are subject to the GDPR should consider (i) their data flows to the U.S., (ii) the respective legal mechanism for such transfers to the U.S., and (iii) if the EU-U.S. Privacy Shield is the current transfer mechanism, put in place a legitimate transfer mechanism for such activities.

Even where data transfers are based on SCCs and are made to non-EU states other than the U.S., organizations should assess that the undertakings in the SCC are met throughout their term. Any changes required by the above may also need to be reflected in the company’s privacy policy, records of processing activities, etc.

Print:
EmailTweetLikeLinkedIn
Photo of Dr. Viola Bensinger Dr. Viola Bensinger

Viola Bensinger co-chairs the firm’s Data, Privacy & Cybersecurity Practice and she chairs the Technology Practice as well as the Litigation Practice in Germany. She advises clients from the technology, media, health care and other industries.

Within the technology sector, Viola advises international…

Viola Bensinger co-chairs the firm’s Data, Privacy & Cybersecurity Practice and she chairs the Technology Practice as well as the Litigation Practice in Germany. She advises clients from the technology, media, health care and other industries.

Within the technology sector, Viola advises international internet, technology and healthcare companies in the areas of digital products, IT outsourcing, e-commerce, electronic payment, data protection, software licensing as well as digital media.

Photo of Kate Black Kate Black

Kate Black’s practice focuses on data privacy, information protection, and commercial transactions in consumer technology, digital health, life sciences, and genetics. Kate provides companies with comprehensive, practical strategies for meeting their regulatory obligations while building and maintaining public trust and advancing innovative and

Kate Black’s practice focuses on data privacy, information protection, and commercial transactions in consumer technology, digital health, life sciences, and genetics. Kate provides companies with comprehensive, practical strategies for meeting their regulatory obligations while building and maintaining public trust and advancing innovative and emerging models of health care research and delivery. She’s managed every aspect of global privacy programs, including supervising privacy assessments, providing product strategy and counseling, managing complex vendor and partner agreements, and overseeing security policy audits for leading health technology companies. She regularly advises on proposed regulatory and legislative changes that will impact the health technology environment and has been a featured speaker and frequent lecturer on data privacy and cybersecurity, data analytics, digital health, mobile medical applications, and privacy issues related to genetic and health research.

Prior to joining the firm, Kate served as 23andMe’s first Global Privacy Officer in Mountain View, CA and worked in the Office of Policy and Planning in the Office of the National Coordinator for Health IT in the U.S. Department of Health and Human Services in Washington, D.C.

Photo of Marijn Bodelier Marijn Bodelier

Marijn Bodelier focuses on public law, real estate and environmental law. Marijn has particular experience in litigation in regulatory and real estate related matters. He is regularly involved in international transactions and innovative projects where public law aspects are a key-element.

Photo of Adam Snukal Adam Snukal

focuses his practice on technology, corporate law, intellectual property and banking law, with an emphasis on IT, technology licensing and privacy in the financial services and health care industries. Adam also counsels clients on matters concerning advertising and promotion law, social networking, media…

focuses his practice on technology, corporate law, intellectual property and banking law, with an emphasis on IT, technology licensing and privacy in the financial services and health care industries. Adam also counsels clients on matters concerning advertising and promotion law, social networking, media law, venture capital opportunities and M&A issues. He represents both established and emerging growth companies. Adam is both a frequent speaker and author of numerous articles on topics related to technology, advertising, media and the law.

Photo of Alan N. Sutin Alan N. Sutin

Alan N. Sutin is Chair of the firm’s Technology, Media & Telecommunications Practice and Senior Chair of the Global Intellectual Property & Technology Practice. An experienced business lawyer with a principal focus on commercial transactions with intellectual property and technology issues and privacy

Alan N. Sutin is Chair of the firm’s Technology, Media & Telecommunications Practice and Senior Chair of the Global Intellectual Property & Technology Practice. An experienced business lawyer with a principal focus on commercial transactions with intellectual property and technology issues and privacy and cybersecurity matters, he advises clients in connection with transactions involving the development, acquisition, disposition and commercial exploitation of intellectual property with an emphasis on technology-related products and services, and counsels companies on a wide range of issues relating to privacy and cybersecurity. Alan holds the CIPP/US certification from the International Association of Privacy Professionals.

Alan also represents a wide variety of companies in connection with IT and business process outsourcing arrangements, strategic alliance agreements, commercial joint ventures and licensing matters. He has particular experience in Internet and electronic commerce issues and has been involved in many of the major policy issues surrounding the commercial development of the Internet. Alan has advised foreign governments and multinational corporations in connection with these issues and is a frequent speaker at major industry conferences and events around the world.

Photo of Carsten A. Kociok Carsten A. Kociok

Carsten Kociok focuses his practice on the technology industry. He has broad experience in the areas of Internet, information technology, electronic and mobile payments and new media, as well as regulatory and data protection law issues.

Photo of Jacomijn Christ Jacomijn Christ

Jacomijn Christ focuses her practice on corporate law, data protection, antitrust, environmental law and real estate. Jacomijn advises on public law aspects in transactions, has experience with regulatory and data protection law issues, and has dealt with environmental and real estate related cases.

Jacomijn Christ focuses her practice on corporate law, data protection, antitrust, environmental law and real estate. Jacomijn advises on public law aspects in transactions, has experience with regulatory and data protection law issues, and has dealt with environmental and real estate related cases.

Jacomijn is also involved in GT’s China practice in Europe in this capacity, and has experience in working with Chinese mainland clients across a wide-range of sectors, including manufacturing, sales, technology and e-commerce.

Photo of Darren Abernethy Darren Abernethy

Darren J. Abernethy is a data privacy attorney with more than a decade of experience, including in AmLaw private practice in Washington, D.C. and as in-house counsel at startups and a leading privacy technology vendor. He advises clients on matters related to advertising

Darren J. Abernethy is a data privacy attorney with more than a decade of experience, including in AmLaw private practice in Washington, D.C. and as in-house counsel at startups and a leading privacy technology vendor. He advises clients on matters related to advertising technology, privacy, data breach management, and FTC best practices.

Darren’s concentrations include the California Consumer Privacy Act (CCPA), the European Union General Data Protection Regulation (GDPR)/ePrivacy, digital advertising, direct marketing, and IP-related transactional matters.

Photo of Luigi Fontanesi Luigi Fontanesi

Luigi Fontanesi represents clients on judicial and non-judicial matters in the fields of industrial law, intellectual property, trademarks, advertising, unfair competition, information technology, privacy, and media, as well as commercial issues related to company reorganization and insolvency law.

Luigi has deep experience in…

Luigi Fontanesi represents clients on judicial and non-judicial matters in the fields of industrial law, intellectual property, trademarks, advertising, unfair competition, information technology, privacy, and media, as well as commercial issues related to company reorganization and insolvency law.

Luigi has deep experience in drafting, negotiating, and setting up domestic and international franchising; master franchising, merchandising, distribution, research; and licensing contracts concerning trademarks, patents, software, register design, industrial design, and know-how.

Photo of Dr. Johanna Hofmann Dr. Johanna Hofmann

Johanna Hofmann advises German and international companies and groupt of companies on all questions of data protection and IT security law. The focus of her work is on the data protection-compliant structuring of existing and future business relationships, both on a national and…

Johanna Hofmann advises German and international companies and groupt of companies on all questions of data protection and IT security law. The focus of her work is on the data protection-compliant structuring of existing and future business relationships, both on a national and international level. Her field of interest lays in particular in the field of cloud computing, data protection certification and data security management. Through long-term secondments at a German group of companies and at the German subsidiary of a US-American technology group, Johanna has gained deep insights into different kinds of group-wide data protection organizations.

Before joining Greenberg Traurig Johanna worked with CMS Hasche Sigle in Munich for over two years. Prior to this, for several years she was a member of the project group for constitutionally compatible technology design and was in charge of an interdisciplinary research project on the dynamic data protection and IT security certification of cloud computing services.

Photo of Willeke Kemkers Willeke Kemkers

Willeke Kemkers is an associate in the IP / Tech department of Greenberg Traurig’s Amsterdam office. She focuses on a broad range of intellectual property issues, including proceedings, drafting of (commercial) contracts and providing of advice regarding transactions (mergers and acquisitions). Willeke also

Willeke Kemkers is an associate in the IP / Tech department of Greenberg Traurig’s Amsterdam office. She focuses on a broad range of intellectual property issues, including proceedings, drafting of (commercial) contracts and providing of advice regarding transactions (mergers and acquisitions). Willeke also has deep knowledge of EU e-commerce regulations and regularly counsels clients with respect to the interpretation and application of the relevant laws.

Furthermore, Willeke counsels clients on a wide range of privacy issues such as data processing agreements, cross-border transfers of data, privacy policies and data breaches. With respect to the coming into force of the GDPR, Willeke prepared clients from many different industries (transport, medical, legal) to be GDPR compliant.

Willeke also has experience with drafting and reviewing of IT contracts including hosting (cloud), outsourcing (SaaS, Iaas and Paas) and IT development contracts.

Photo of Ewen Mitchell Ewen Mitchell

Ewen Mitchell is an intellectual property and data protection consultant based in the London office. He advises clients on all aspects of IP and data protection law, with a focus on IP dispute resolution, strategic IP advice, and the IP aspects of international…

Ewen Mitchell is an intellectual property and data protection consultant based in the London office. He advises clients on all aspects of IP and data protection law, with a focus on IP dispute resolution, strategic IP advice, and the IP aspects of international transactions. He has practised in England and France.