Menu Close

The European Court of Justice has invalidated this Thursday the mechanism allowing the transfer of personal data between the UEuropean Union and the United States. which is known as "Privacy Shield ”.

The American surveillance laws do not comply with the requirements of the GDPR.

The Court indicated in its judgment C-311/18 that the American laws on surveillance are in contradiction with the fundamental rights of the EU and that the Privacy Shield does not therefore guarantee adequate protection of personal data in the United States. United according to EU standards.

Indeed, the United States limits interference against the privacy of American citizens (or similar), but does not sufficiently protect the personal data of foreign persons against intrusions by the NSA. (National Surveillance Agency).

Furthermore, since the NSA (and other supervisory bodies in the United States) does not declare which companies, individuals or organizations are subject to supervisory measures, there is therefore no means for them to do so. data subjects to exercise their rights in the event of abuse.

According to Max Schrems, a data protection activist behind the procedure (and also behind the invalidation of the previous mechanism, namely the Safe Harbor):

The court has clarified for the second time now that there is a conflict between EU privacy law and US surveillance law. As the EU will not change its basic rights to satisfy the NSA, the only way to overcome this conflict is for the United States to introduce strong privacy rights for everyone, including foreigners. " 

The European Commission has not carried out a sufficient assessment of the adequacy of the Privacy Shield compared to EU standards.

The above-mentioned judgment also makes it clear that the European Commission would not have undertaken an in-depth evaluation of the Privacy Shield before validating it.

Herwig Hofmann, professor of law at the University of Luxembourg and one of the lawyers pleading Schrems' cases before the CJEU: “The CJEU has overturned the second Commission decision violating the EU's fundamental data protection rights. There can be no transfer of data to a country where there are forms of mass surveillance. As long as US law gives its government the power to access data from people in the EU transiting to the United States, these instruments will be repeatedly invalidated. The Commission's acceptance of US mass surveillance laws in the Privacy Shield decision has left them helpless.

The authorities responsible for the protection of personal data have the "duty to act" and the use of standard contractual clauses is not the silver bullet.

The Court agreed with Mr Schrems' opinion that it is only on the condition that the law of the recipient third country is not incompatible with European law that the CCTs (Standard contractual clauses validated by the Commission - SCC in English) ) can still be used to make transfers abroad. (As a valid alternative to a Commission adequacy decision).

Consequently, the use of CCT is not prohibited but must be subject to control (depending on the recipient country) to ensure its effectiveness.

According to Max Schrems: “ L''The judgment clearly states that companies can no longer be content to use CCTs but must also check whether CCTs can be observed in practice in the recipient country.

A Data Protection Authority theoretically has the duty to order a company to stop transfers if the standard contractual clauses cannot be respected ”.

Data transfers “necessary” to the United States can continue

Despite the invalidations pronounced by the judgment, absolutely necessary data transfers can continue on the basis of Article 49 of the GDPR. (Transfers that cannot be made on the basis of an adequacy decision, CCT or binding corporate rules - according to articles 45 and 46 of the GDPR)

Any situation where users explicitly want their personal data to be transferred abroad is still legal, since this can take place on the basis of the user's informed consent, which can be withdrawn at any time.

Similarly, the GDPR allows data transfers when necessary for the performance of a contract. It is a solid legal basis for most transactions in the United States.


It remains to be seen what impact this judgment will have in practice for American companies and in particular the GAFAMs and whether the American government will modify its surveillance laws in order to regain the status of a privileged partner of the EU. (At the level of personal data transfers).

You have questions relating to this subject, do not hesitate to contact me by sending me an email.


en_GBEnglish (UK)