The Court of Justice of the European Union annulled the EU-US Privacy Shield

On 16.07.2020, the Court of Justice of the European Union issued a decision annulling the EU-US Privacy Shield Agreement for data transfer. The decision invalidates the EC Decision on the EU-US Privacy Shield in EU-US relations. The reasons for the annullment are that the personal data of European citizens are not sufficiently protected from misuse, as the mechanism for the protection of the rights of individuals before the US Ombudsman does not provide sufficient guarantees for their rights equivalent to those existing in the European Union. In this regard, it should be noted that the transfer of personal data for ordinary services such as sending e-mails, car rental, hotel reservation, purchase of airline tickets will not be affected, as Art. 49 of Regulation (EU) 679/2016 provides for derogations in specific cases, such as: – explicit consent of the data subject to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards; – the transfer is necessary for the performance of a contract between the data subject and the controller or for the performance of pre-contractual measures taken at the request of the data subject; – the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person.

At the same time, Decision 2010/87 / EU of 2010 on standard contractual clauses used by thousands of data controllers remains in force. It is important to note, however, that the transfer of personal data based on standard contractual clauses should be suspended by national data protection supervisион аутхоритиес in the event of a breach of these clauses or failure to comply with them, as a level of protection equivalent to that guaranteed in the Union must be provided. In this regard, the Court of Justice clarifies that the assessment of this level of protection must take into account both the contractual clauses agreed between the data exporter established in the Union and the transferee established in the third country concerned, and as regards the possible access of the public authorities of that third country to the personal data thus transmitted, the relevant elements of its legal system.