Legal briefing

The European Court of Justice strikes down international data transfers made under the Privacy Shield agreement


In this Legal Briefing, we analyse the main aspects of this decision of the ECJ.

The European Court of Justice (“ECJ”) has ruled in its judgment in the Data Protection Commissioner v Maximillian Schrems and Facebook Ireland case (C-311/18) that the Privacy Shield agreement (“Privacy Shield”) does not provide an adequate level of protection, according to the standards of the Charter of Fundamental Rights of the European Union (the “Charter”) and the General Data Protection Regulation (the “GDPR”). In its ruling, the ECJ considered, on one hand, the validity of the European Commission’s Decision 2010/87 on standard contractual clauses, and, on the other hand, the validity of the Privacy Shield agreement itself.

With respect to the validity of European Commission Decision 2010/87 on standard contractual clauses, the ECJ declared that, in its opinion, it complies with the guarantees set out in the Charter and in the GDPR, but noted that there are certain obligations that both the exporter and the importer of data must fulfil, such as, for example, and by way of illustration, checking that the country of destination of the data complies with minimum-security standards.

The entire content of the Legal Briefing can be found in the PDF.

Related Practice areas

Pérez-Llorca uses its own and third-party cookies, located in countries whose legislation does not guarantee an adequate level of data protection, to compile statistics on the use of this service. You can accept or reject the use of cookies by clicking on the buttons at the bottom of this banner and obtain more information about the use of cookies and your rights in our cookies policy.