European Union (EU) Court Invalidates EU-U.S. Privacy Shield for Data Transfers

Privacy

Written By Employment Screening Resources® (ESR)

On July 16, 2020, the Court of Justice of the European Union (CJEU) issued a decision that invalidated the EU-U.S. Privacy Shield Framework and opened the door for the possible suspension of data transfers from the European Union to the United States based on the Standard Contractual Clauses (SCCs), a CJEU press release stated.

The Court’s invalidation turned primarily on the fact that the Privacy Shield allows U.S. intelligence agencies to access personal data transferred from the EU to the U.S. in bulk and without any independent judicial recourse in the U.S. for EU residents who wish to lodge a complaint concerning such access. 

According to the CJEU, this means that Privacy Shield does not provide an adequate level of protection for transferred personal data as required by the General Data Protection Regulation (GDPR). While this has nothing to do with background checks for employment purposes, it nonetheless has a negative impact.

While the CJEU upheld the validity of the SCCs as a data transfer mechanism, the Court ruled that EU data protection regulators may suspend transfers of personal data from the EU to a third country, such as the U.S., after determining that the third country’s laws undercut SCCs protections for personal data. 

Since the CJEU’s decision impacts thousands of businesses on both sides of the Atlantic, EU and U.S. authorities will be under tremendous political and economic pressure to develop an alternative approach before a final judgment in an Irish legal proceeding suspending data transfers from Ireland to the United States.

The EU-US. Safe Harbor, the predecessor to Privacy Shield, was invalidated by the CJEU on October 6, 2015. EU data protection regulators suspended enforcement for more than two months to give organizations time to address that decision and likely will announce a similar suspension in response to the CJEU’s decision.

Designed by the U.S. Department of Commerce and the European Commission, the EU-U.S. Privacy Shield Framework officially launched on August 1, 2016, and includes seven commonly recognized privacy principles combined with 16 supplemental principles. To learn more about the Privacy Shield, visit www.privacyshield.gov.

The GDPR – which took effect May 25, 2018 – requires employers to provide data processing notices to employees and independent contractors that address a long list of topics, including whether personal data is transferred outside the EU and identification of approved mechanisms legitimizing data transfers. 

Employment Screening Resources® (ESR) – a leading global background check provider – self-certifies adherence to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks and has incorporated fully compliant GDPR policies, procedures, and technologies. To learn more about ESR, visit www.esrcheck.com.

NOTE: Employment Screening Resources® (ESR) does not provide or offer legal services or legal advice of any kind or nature. Any information on this website is for educational purposes only.

© 2020 Employment Screening Resources® (ESR) – Making copies of or using any part of the ESR News Blog or ESR website for any purpose other than your own personal use is prohibited unless written authorization is first obtained from ESR.