Ensuring a standardised protection of the European citizens’ fundamental rights, when transferring their personal data between the European Union and the United States, represents a challenge in the digital age. In order to ensure an adequate level of protection in the transatlantic transfer of these data, on 12th July 2016, the European Commission established the Adequacy Decision (EU) 2016/1250, more widely known as the EU-US Privacy Shield.

Although there were some doubts regarding its compatibility with GDPR’s requirements, the Privacy Shield was in force until 16th July 2020, when the Court of Justice of the European Union declared the Adequacy Decision 2016/1250 invalid, in the decision known as Schrems II.

In the second episode of this saga, following Schrems I in which Safe Harbour was invalidated, Maximillian Schrems maintained the argument that the US would not ensure effective protection of transferred data and called for a suspension of his personal data transfer to the US. The Court of Justice considered that GDPR applies to any transfer of personal data, from an organisation established in a Member State to another organisation established in a third country, and that its requirements on enforceable rights, adequate safeguards and effective legal remedies must be applied in such a way that data subjects whose data is transferred to a third country can benefit from an equivalent level of protection as ensured in the EU.

In this sense, the Court of Justice ruled that Privacy Shield did not provide the necessary safeguards against US information authorities’ interference in the exercise of data subjects’ fundamental rights, relating to respect for private life, protection of personal data and effective judicial protection, leading to a new approach for personal data transfer to third countries.

Read Catarina Nogueira's full article on the Cyberlaw Magazine by Centro de Investigação Jurídica do Ciberespaço, here (see page 12).

‍

Article by Catarina Nogueira.