EU Court of Justice declares EU-US Privacy Shield invalid - is your data at risk now?
July 16, 2020 (Press release for Case C-311/18) - The EU Court of Justice invalidates Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield. The restrictions of the Privacy Shield Decision 2016/1250 assessed by the Commission in protection of personally identifiable information, resulting from the fact that U.S. authorities under the law of the United States on such data, which are transferred from an EU country to the U.S. may access and use them, are not regulated in such a way that requirements equivalent in substance to those laid down by EU law in accordance with the principle of proportionality would be met, as the surveillance programmes in the U.S. are not limited to what is strictly necessary.
As regards the requirement of judicial protection, the Court holds that, contrary to the view taken by the Commission in Decision 2016/1250, the Ombudsperson mechanism referred to in that decision does not provide data subjects with any cause of action before a body which offers guarantees substantially equivalent to those required by EU law, such as to ensure both the independence of the Ombudsperson provided for by that mechanism and the existence of rules empowering the Ombudsperson to adopt decisions that are binding on the US intelligence services. On all those grounds, the Court declares Decision 2016/1250 invalid.
What are the risks? What do we need to do now?
The transfer of personally identifiable information (PII) to the U.S. is illegal now and could result in fines of up to 20 million euros or 4% of the worldwide annual revenue as well as claims for damages from affected individuals. The EU Data Protection Commissioners have already pointed out that there will be no "grace period" in this context - the "transfer of personally identifiable information to the U.S. on the basis of the EU-US Privacy Shield is unlawful and must be stopped immediately".
Companies and organizations based in the EU that transfer PII by using service providers from the U.S., now have these two options:
1. Negotiate an individual data protection agreement with each U.S. service provider, which is fully compliant with the GDPR and the standard contract clauses and submit it to the respective data protection authority for review and approval.
2. Switch service providers now and choose a German company, whose solution is already 100% GDPR compliant by default. Our Address Validator offers you these advantages:
- 100% GDPR Data Protection Guaranteed
- Servers based in the EU
- Software made in Germany - highest accuracy, maximum performance
- Flexible rates + 30-Day unconditional Money Back Guarantee
- Free Trial
We make things very easy for you - you can test Address-Validator with a free trial.
Address List Validation & Cleaning
Address-Validator detects invalid addresses and provides corrections for incomplete addresses - just upload your address list from Excel/CSV files, CRM systems and customer databases here:
Verify Addresses Online
With the Address-Validator Online API you can validate postal addresses directly on your website. Users can correct typos instantly, and only valid addresses will be accepted.