The highly anticipated ruling from the Court of Justice of the European Union landed just a few hours ago. Nicknamed the Schrems II judgment, the Court found that the arrangement regulating flow of data between the European Union and the United States, or as it is otherwise known, the ‘Privacy Shield’ is invalid.
The Court found that “requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred to that third country […] [and these limitations] are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law”.
The CJEU however confirmed that the EU’s decision on the use of SCCs for the transfer of personal data to processors in third countries is still valid, and highlighted that EU data protection authorities have a “duty to act” vis-à-vis the enforcement of the GDPR.
The CJEU’s detailed press release can be found here: https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-07/cp200091en.pdf