European Union’s Top Court Strikes Down EU-US Privacy Shield

The Court of Justice for the European Union has invalidated the EU-US Privacy Shield as an approved mechanism for transferring personal data from the European Union to the United States. The Privacy Shield had been in place since October 2015, and enabled U.S. companies to more easily receive personal data from EU entities. The decision by the court “leaves many companies scrambling to implement alternative mechanisms to safeguard personal data transfers to the U.S.,” says Sten-Erik Hoidal of Frederikson & Byron, P.A. With the invalidation of the privacy shield, companies are essentially left to decide on their own how data will be lawfully transferred. Attorneys from Perkins Coie recommend companies “consider amending any data processing addenda (DPAs) which companies have signed with vendors or customers to incorporate the EU Standard Contract Clauses.” Moving forward, U.S. and European companies will now attempt to create a new deal that complies with the privacy standards for transferring digital information. The first large company to weigh in on the decision, Microsoft tells customers that they “can continue to use Microsoft services in full compliance with European law” and that the ruling “does not change the data flows of our services to Consumers.”