EU Strikes Down EU-U.S. Privacy Shield

by: Paul H. Farmer, Jr. (CIPP/US)

In a July 16, 2020 decision, The European Court of Justice effectively struck down the EU-U.S. Privacy Shield based on a finding that U.S. law does not afford adequate protection (mainly to non-U.S. citizens) for personal data. Specifically, the Court invalidated a 2016 decision on the adequacy of the Privacy Shield. The practical impact appearing to be that compliance with standard data protection clauses cannot be ensured for data exported to the U.S. This means that the export of data from the EU to the U.S. – at least under current U.S. law – would violate the GDPR. 

It is now effectively illegal to transfer personal data from the EU to the U.S. The obvious implications go directly to U.S. businesses that collect data in the E.U. or host servers in the U.S. As the consequences of the decision manifest in the near and long term, the Court’s decision is a reminder of the constant challenge of privacy compliance that businesses face. Even for businesses that do not operate or directly do business in the EU, this highlights the rapidly evolving landscape of data privacy and security. 

Almost all businesses collect personal data in some form, on their customers and their employees. Even under U.S. law, businesses risk liability by failing to ensure appropriate privacy compliance. The professionals at GJB can help identify and limit your businesses’ exposure by bringing to the table years of experience advising businesses and certification in information privacy.   

If you have questions about how the European Court of Justice’s decision or privacy compliance in general impacts your business, contact GJB Senior Associate Paul H. Farmer, Jr. at