EU High Court Strikes Down EU-U.S. Privacy Shield

July 17, 2020

The Court of Justice of the European Union (CJEU) invalidated the EU-U.S. Privacy Shield, which allowed companies to transfer data to the U.S., ruling that the agreement left EU citizens exposed to U.S. government surveillance.  How severely it impacts HR operations, however, remains to be seen.

Standard Contract Clauses (SCCs) called into question:  Standard Contract Clauses—agreements between data exporters and importers that personal data rights will be respected—remain valid.  However, the CJEU highlighted obligations of data importers to alert the EU-based country of any reason it cannot comply with the clauses.  This particularly applies where sufficient protections may not be expected in the country to which personal data is being exported from the EU. 

HR Policy Privacy Counsel Harriet Pearson of Hogan Lovells:  “Twenty years of streamlined data transfer compliance is now effectively over since Europe’s highest court has invalidated the EU-US Privacy Shield.  And with another key GDPR compliance mechanism—standard contractual clauses—under scrutiny, companies in the U.S. and globally will want to monitor the situation and to plan to confirm the legal sufficiency of the contractual arrangements they use to access European personal data.  If there is a bright side, it’s that HR may be less impacted than commercial operations since such reviews and adjustments are likely more straightforward for HR—but time will tell.”

Outlook:  U.S. Commerce Secretary Wilbur Ross quickly expressed his disappointment in the ruling, which may have "negative consequences to the $7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies, and governments."  With the cost of global compliance rising, a U.S. federal data privacy law appears that much more palatable—if not an important component of doing business overseas.