The "Privacy Shield" is an agreement between the EU and the United States, which regulates the protection of personal data of EU citizens when transferred to the US. Data Security should be assured by the United States by providing data protection guarantees, in particular by providing the possibility for EU citizens to sue for data protection violations and by setting up an ombudsman's office. In February 2016, President Obama signed a corresponding law, namely the "Judicial Redress Act".

However, the standards contained in the agreement for the handling of European information in the USA are not sufficient according to the recent decision of the European Court of Justice (ECJ). This means that companies will no longer be able to use the "Privacy Shield" rules for the purpose of data transmission in the future. If they do, they may face fines under the General Data Protection Regulation (GDPR).

Information about penalties of the GDPR can be found here:

On the other hand, the use of so-called standard contractual clauses (Standardvertragsklauseln), which guarantee an adequate level of protection when transferring data abroad, is legitimate in the opinion of the ECJ.

The reason for the ruling of the European Court of Justice was a legal dispute between the Austrian data protection activist Max Schrems and Facebook Ireland. Schrems argued that the United States is not in a position to adequately protect European data due to its far-reaching surveillance laws and intelligence activities. The ECJ followed this legal view.

Originally published by Naegele, July 2020

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.