In its decision of 16 July 2020, the European Court of Justice ruled that the transfer of personal data from the EU to the USA is no longer permissible on the basis of the so-called Privacy Shield. The Privacy Shield is an informal agreement from 2016 between the USA, the EU Commission and Switzerland. According to this agreement, personal data may be transferred to the USA under the conditions of the Privacy Shield, as there is an equivalent level of protection for personal data in the USA, compliance with which the recipients prove by means of appropriate certification.
In its ruling of 16 July 2020, the ECJ clearly rejected the permissibility of transferring personal data to the USA on the (sole) basis of the Privacy Shield: According to the decision of the ECJ, the Privacy Shield is ineffective and a transfer of personal data on this basis is not permissible.
Personal data may thus only be transferred from the EU (or Switzerland) to the USA if there is another legal justification. This could be, for example, the consent of the data subject whose data are to be exported, or, if applicable, standard contractual clauses approved by the European Commission. In the opinion of the ECJ, however, the latter do not per se lead to the permissibility of the data transfer, but rather it is additionally important that the person is granted a comparable level of protection for his or her personal data in the recipient state (i.e. the USA) and that he or she is entitled to comparable protection rights. This examination must be carried out independently of the use of standard contractual clauses.
For companies, this means that they must first check whether and on what basis they transfer personal data to the US and whether this legal basis meets the conditions laid down in the ECJ ruling. If this is not the case, there is the threat of substantial fines, up to EUR 20 million.
