top of page

Analysis of CJEU’s decision on annulment of EU-US Data Privacy Shield

Updated: Dec 30, 2020

Ankita Bhailot,

Research Intern,

Indian Society of Artificial Intelligence and Law.


In this intensely digitalize and the data-rich world, data streaming across the globe is a part of business communications and commercial as well as social interactions. In March 2012, the EU and the US issues a joint statement on data protection affirming that both were ‘dedicated to the operation of the Safe Harbor Framework- as well as to our continued co-operation with the Commission to address issues as they arise- as a means to allow companies to transfer data from the European Union to the United States, and as a tool to promote transatlantic trade and economic growth’[1]. However, a little more than a year later in July 2013 and following the disclosures of NSA informant Edward Snowden, the then Vice President of the Commission expressed at the Justice Council that ‘the Safe Harbor agreement may not be so safe after all. It could be a loophole for data transfers because it allows data transfers from the EU to the US companies – although the US data protection standards are lower than our European ones[2]’. This system hence did not resolve the Fundamental conflict among surveillance and data protection.

The case under analysis is Schrems II case (Schrems I[3] being Maxmillan Schrems Vs Data Protection Commissioner where the CJEU put shut down to the particular system directing data streams to the US), concerns overreaching surveillance system of the US invalidating the ‘Privacy Shield’ data-sharing system between the EU and the US. It also spreads light over Facebook’s large scale data processing strategy of EU citizen’s data and mass re-distributing of data transfer from the EU to the US. The US prioritizing digital surveillance is by the fact is allowed under the FISA[4] (Foreign Intelligence Surveillance Act, 1978) an executive order. This demonstration legitimately slams into the European Fundamental Rights, which bestows its residents with the privilege of security and data protection given under the EU Charter of Fundamental Rights. The specialists have consistently reprimanded the content as they would like to think that it penetrates the exceptionally rudimentary Rights of the residents to security and assurance.

The judgment laid by the Court of Justice of European Union (herein referred as CJEU) on the ampleness of security given by EU-US Data Privacy Shield is anyway refuted though; EU commission's choice on SCC (Standard Contractual conditions) for transfer of personal data to processor third nation has been expressed as substantial underlining in a way that the data protection privileges of the European residents are fundamental in nature. Further, the CJEU proposes that the SCCs shall be modernized in reference to the GDPR[5]. However, no firm course of events be created under EU information defensive order for such a process.

The Commissioner during the press briefing session expressed that the legal instruments for transatlantic data transfer continues to exist and vowed to work intimately with the US partners to graph a course towards subbing the Privacy Shield. Similarly, taking required shots at equivalent changes whenever required with GDPRs, concerning FISA Law versus the US government law on data security will not only make the present law in reference to other nations stand rigid but will assure transparency in transfer of data from the EU states to such third nations. This shall in return defend the enthusiasm of the residents just as it will be profiting the Companies. The US Department of Commerce acknowledged the decision and the fact that it has negative impacts on the transatlantic connection between the EU and the US. The practice will thus entail steady and continuous data transfer with solid protections to third nations and organizations including the current member organizations that are following Privacy shield strategy.

Regarding the level of protection required in respect of such a transfer, the Court holds that the requirements laid down for such purposes by the GDPR concerning appropriate safeguards, enforceable rights and effective legal remedies must be interpreted as meaning that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses must be afforded a level of protection essentially equivalent to that guaranteed within the EU by the GDPR, read in the light of the Charter. In those circumstances, the Court specifies that the assessment of that level of protection must take into consideration both the contractual clauses agreed between the data exporter established in the EU and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the data transferred, the relevant aspects of the legal system of that third country.[6]

There can be seen various responses to the decision of the CJEU as the US is ending up circled into Schrems' Facebook-SCC challenge where the complainant contended that ‘the component penetrates fundamental EU rights and doesn't give sufficient security rights to the residents’. It concerns the state as the CJEU has settled on the Privacy Shield and not on SCC which doesn't have the instrument of self-assessment on the nature of security offered by any third nation. SCC according to the US presents to be a device that can ensure data protection rights to EU residents only if the legitimate condition exists.

The adjudicators for this issue have proposed that the data controllers will complete an appraisal of data security just to be managed by the nation where such information is being taken; wherein the controller of such data transfer will have a lawful commitment to follow-up on the complaints and suspend the exchange on the off chance that it doesn't correspond with the EU law. Diverse defending measures must be taken by the individual data exporter established in the EU foremost; in coinciding with the standard data security clauses received by the commission.

Regarding the supervisory authorities’ obligations in connection with such a transfer, the Court holds that, unless there is a valid Commission adequacy decision, those competent supervisory authorities are required to suspend or prohibit a transfer of personal data to a third country where they take the view, in the light of all the circumstances of that transfer, that the standard data protection clauses are not or cannot be complied within that country and that the protection of the data transferred that is required by EU law cannot be ensured by other means, where the data exporter established in the EU has not itself suspended or put an end to such a transfer.[7]

The Privacy Shield strategy has been refuted on the grounds of absence of security to the EU residents; the choice of CJEU is as yet not satisfactory with regards to what options exist for the organizations; for example, Facebook which is out of the domain of the US Surveillance Laws. Facebook for the issue is still utilizing SCCs to take EU resident's data to the US; this practice opens the legal hazard to different organizations, particularly to the ones that are set-up in the US where they might be exposed to data observation under the US laws.

All in all, the choice doesn't just influence data transfer to the US yet different purviews, for example, the UK, India or China will likewise require a system of solid surveillance laws. This decision will urge data protection regulators to rethink the worldwide exchange with states under solid surveillance approaches as it were. The UK, for the matter, has already experienced numerous evaluations during its Brexit transition period and has just been assessed by the European courts followed by the vital amendments wherever required.

The companies falling under FISA Law stands disappointed to the CJEU’s decision as it only stops the use of Privacy shield policy whereas if the data flow fell under the US surveillance law the SCC shall stand ceased thereon. No matter if under Privacy Shield or SCC, full-outsourcing of data subject to the US surveillance is still not allowed.


[3] Judgment of the Court under Max Schrems Vs DPC, 06/10/2015

[4] Decoding Section 702, FISA

[5] Privacy and Security Law of the European Union i.e. GDPR

The Indian Learning, e-ISSN: 2582-5631, Volume 1, Issue 2, January 31, 2021.


The Indian Society of Artificial Intelligence and Law is a technology law think tank founded by Abhivardhan in 2018. Our mission as a non-profit industry body for the analytics & AI industry in India is to promote responsible development of artificial intelligence and its standardisation in India.


Since 2022, the research operations of the Society have been subsumed under VLiGTA® by Indic Pacific Legal Research.

ISAIL has supported two independent journals, namely - the Indic Journal of International Law and the Indian Journal of Artificial Intelligence and Law. It also supports an independent media and podcast initiative - The Bharat Pacific.

bottom of page