EU-U.S. Privacy Shield Struck Down

Europe’s top court struck down the EU-U.S. Privacy Shield that workforce mobility companies use to protect the transfer of personal data of transferees between the EU and U.S.

On 16 July, Europe’s top court struck down the EU-U.S. Privacy Shield, a trans-Atlantic agreement that companies use to safely move data between the European Union and the United States. More than 5,000 companies including those in the workforce mobility industry use the system as it is integral to protecting the data of transferees.

The Privacy Shield was created in 2016 to replace the EU-U.S. Data Privacy Safe Harbor that companies used to protect data privacy for over a decade. Under the Privacy Shield, U.S. companies are obligated to self-certify with the U.S. Department of Commerce and publish their commitments on how personal data is processed and how individual rights are guaranteed. Those commitments are then subject to U.S. law and enforceable by the U.S. Federal Trade Commission to ensure that EU residents’ data is protected when shifted to the U.S.

According to analysis by the New York Times, the Privacy Shield was intended to “include a greater say for Europeans on how their information is used, the right to go to American courts when people think companies or the United States government may have misused their data, and written guarantees from American officials that government agencies will not indiscriminately collect and monitor Europeans’ data without cause.”

However, the European Court of Justice in Luxembourg ruled that the Privacy Shield did not comply with European privacy rights. American and European officials will now have to negotiate a new deal for transferring digital information, and businesses will have to find new legal mechanisms to continue moving data safely. This may include companies signing standard contractual clauses, or non-negotiable legal contracts drawn up by Europe.