EU Data Protection and Privacy

In a ground-breaking opinion issued today, the Court of Justice of the European Union invalidated the EU-US Privacy Shield Decision as a method for transferring personal data from the EU to the US. In short, the Decision was invalidated over Privacy Shield’s failure to adequately address US government surveillance activities.

Conversely, the Court upheld the use of standard contractual clauses for transfers of personal data to third countries but emphasized that the parties are under an obligation to ensure that the laws in the recipient country are sufficient.  Specifically, the Court held that GDPR Article 46(1) and 46(2)(6) “must be interpreted as meaning that the appropriate safeguards, enforceable rights and effective legal remedies required by those provisions must ensure that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses are afforded a level of protection essentially equivalent to that guaranteed” in European law.


Continue Reading CJEU Invalidates EU-U.S. Privacy Shield; Upholds Standard Contractual Clauses