June 07, 2019
The European Court of Justice (CJEU) will hear a case to determine whether the U.S. “ensures an adequate level of protection” under EU privacy law when transferring data, potentially undermining the EU/U.S. Privacy Shield model of data transfer.
The Irish high court ruled that the U.S. was engaged in “mass and indiscriminate surveillance” of European citizens and called into question the strength of the Privacy Shield.
How the Privacy Shield works with the General Data Protection Regulation (GDPR): The EU's Privacy Shield is a program under which companies may be certified as providing adequate protection of personal data under the GDPR in order to transfer personal data to the U.S.
The case revolves around Facebook’s involvement with the NSA’s Prism surveillance program following 2013 revelations by former U.S. intelligence contractor Edward Snowden.
Now the CJEU will answer 11 questions posed by the Irish Supreme Court that will have huge implications for both the EU/U.S. Privacy Shield model and the validity of the standard contractual clauses used to transfer personal data between Europe and the U.S.
Outlook: The Privacy Shield was the EU/U.S. response to the collapse of the safe Harbor model—if the Privacy Shield model collapses as well, it is unclear what will be put in its place.