In a landmark ruling with sweeping implications for global companies, on Thursday, July 16 the Court of Justice of the European Union (CJEU) ruled, in essence, that the personal data of EU citizens must be provided the same protections granted by GDPR, the European data privacy law, regardless of what jurisdiction the data is moved to or processed in – and that the Privacy Shield framework in place up to this point did not ensure that protection.
The ruling stems from a 2015 case (analyzed here), in which an Austrian privacy rights activist, Maximillian Schrems, spurred by the Edward Snowden revelation of wide-spread U.S. surveillance, took issue with the ability of Facebook to make private data of EU citizens available to U.S. authorities, in violation of the EU Charter. Ultimately, the CJEU found that the Safe Harbor principles, which at the time governed the transfer of data between EU and U.S., did not provide adequate protection of the private data of EU citizens that is required by the GDPR. Consequently, the Safe Harbor principles were revoked and replaced by a more robust framework, Privacy Shield. The latest and final ruling of the court this week invalidates Privacy Shield as well, for similar reasons of inadequate protection. This leaves companies with EU interests scrambling to put in place immediate measures to safeguard any EU members’ data they use, process or transfer, in lieu of the Privacy Shield protocols. The ruling provides no grace period for the transition, and the decision of the court cannot be appealed.
This is a major development in the data privacy realm. Protiviti has issued a Flash Report with detailed background of the ruling, an overview of the regulations that remain in place, and a list of recommended actions for companies to take right away.
To stay informed of breaking news and other developments in the data privacy field, subscribe to our blog or visit our website.
Read additional posts on The Protiviti View related to Cybersecurity and Risk & Compliance.
