Categories: Insights, Practice

Tag: Privacy Shield


27 Jul 2020

Privacy Shield: the Court of Justice of the European Union invalidates the EU – USA Agreement

With judgment dated 16 July 2020, “Data Protection Commisioner v Facebook Ireland Limited, Maximilian Schrems C-311/18”, the Court of Justice of the European Union (hereinafter, the “CJEU” or the “Court”) has declared Decision No. 2016/1250 invalid and, along with it, the agreement signed between the European Union and the United States of America aimed at protecting and governing the transfer of the  personal data of European citizens to the recipient located within the US territory (the so-called “Privacy Shield”).

The decision of the Court of Justice

The Court has ascertained that any potential transfer made by US public authorities in respect of all personal data transferred to the US territory shall prevail over the limitations foreseen by the fundamental rights of the European citizens concerned (“data subjects”), which the EU regulations aim at protecting.

At present, the EU regulations of reference on the protection of personal data are included in Regulation (EU) 2016/679 (hereinafter, the “Regulation”), based on which the personal data of data subjects, if transferred to Countries outside the European Union, must be protected by equal guarantees to those provided for under EU law.

In invalidating the Privacy Shield, the CJEU states again the lawfulness of the tool consisting in the so-called Standard Contractual Clauses (“SCC – Standard Contractual Clauses”) adopted by the European Commission, but instructs the supervisory authorities of each single EU Member Country to check as well as, if necessary, to suspend and ban the transfer of personal data to Third Countries having a legal system not in compliance with the requirements included in any such Clauses.

The tools foreseen by the Regulation

The decision at issue does not set a total ban to the transfer of personal data towards the US, but imposes that the parties and the organisations making any such type of transfer identify alternative tools justifying the exchange, thus ensuring appropriate levels of protection for the data subjects.

In this respect, please note that the Regulation provides for different tools and procedures to be used in order to implement a correct transfer of data outside the European Union. In particular:

  • the existence of an adequacy decision to the EU requirements on the protection of personal data;
  • the adoption of Standard Contractual Clauses;
  • the adoption of Binding Corporate Rules (“BCR _ Binding Corporate Rules”) by large international groups following the negotiation with the supervisory Authorities of the countries involved;
  • the agreement to specific Codes of conduct or, in any event, to certification procedures, which must be concomitantly applied by the party to which the data are transferred;
  • the data subject’s consent, which must be duly informed as foreseen by the Regulation itself.

◊◊◊◊

In light of the rulings of the Court of Justice with the judgment under examination, the organisations engaged in transferring the personal data of data subjects towards the USA are under an obligation to revise the procedures on which they have grounded any such transfers, by identifying alternative tools in the cases in which, up to now, the Privacy Shield has been used.

As clarified by the Court, should the Standard Contractual Clauses tool be used, it shall be necessary to identify the risks, even potential, by analysing both the organisation of the party receiving any such data and factors such as the context, the sector or the legal system of the Third Country in which the latter does business.

Subscribe to our newsletter

Contact

Need information? Write to us and our team of experts will respond as soon as possible.

Fill in the form

More news and insights

8 Jul 2026

Pay transparency: one month after its entry into force, two approaches are emerging in the market (The Platform, 8 July 2026 – Vittorio De Luca, Claudia Cerbone e Martina De Angeli)

Since 7 June, EU rules aimed at strengthening the principle of equal pay between men and women for the same work or for work of equal value have…

2 Jul 2026

Did you know…? As of 7 June 2026, Legislative Decree No. 96/2026 is fully in force

As of 7 June 2026, Legislative Decree No. 96/2026 is fully in force. It also introduces into the Italian legal system a structured framework on pay transparency, with…

2 Jul 2026

Failure to serve disciplinary charges does not render the dismissal null and void: italian supreme court confirms no reinstatement remedy for employers below the statutory workforce threshold

Principle of Law In its recent judgment No. 17283 of 1 June 2026, the Italian Supreme Court (Corte di Cassazione) examined the legal consequences arising from the employer's…

2 Jul 2026

AI and the employment relationship: initial guidance from the implementing decrees and data protection implications

Following the preliminary approval by the Council of Ministers, on 10 June 2026, of the first draft legislative decrees implementing the enabling law on artificial intelligence (Law No.…

1 Jul 2026

Sustainability, Responsibility, and the Future: A Commitment That Grows with Time

As we celebrate our 50th anniversary, we have chosen to look to the future with the same care and dedication with which we preserve our roots. Those roots…

25 Jun 2026

Pay Equity and Pay Transparency: What Will Change in Italy (People are People, 25 June 2026 – Claudia Cerbone e Martina De Angeli)

With Legislative Decree No. 96 of 7 May 2026, which entered into force on 7 June 2026, Italy transposed Directive (EU) 2023/970 on pay transparency, becoming one of…