On July 16, 2020, the EU Court of Justice decided “Schrems II” and invalidated the EU Commission’s Decision 2016/1250 regarding the adequacy of the EU-U.S. Privacy Shield (“the Privacy Shield Decision”). As described in the Press Release issued by the Court:
[T]he limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to that third country, which the Commission assessed in Decision 2016/1250, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary.
This case was the second one brought by Max Schrems against Facebook in its Irish domicile – which is why the case is now in the hands of the Irish Data Protection Commission. In rejecting the use of a Privacy Shield Ombudsperson who was independent from the Intelligence Community – the agreed-upon safeguard found in the Privacy Shield Decision, the Court of Justice ruled that such a mechanism “does not provide data subjects with any cause of action before a body which offers guarantees substantially equivalent to those required by EU law, such as to ensure both the independence of the Ombudsperson provided for by that mechanism and the existence of rules empowering the Ombudsperson to adopt decisions that are binding on the US intelligence services.”
Now that the Court has invalidated the European Commission’s adequacy decision for the EU-U.S. Privacy Shield, thousands of US companies relying on such a mechanism will need to reevaluate their compliance efforts. The US Commerce Department echoed today the same disappointment likely felt by these companies. Reminding companies there is still a “US” component very much still intact in the “EU-US Privacy Shield”, the Secretary of Commerce also stated that “today’s decision does not relieve participating organizations of their Privacy Shield obligations.”