US laws on data protection are not strict enough to meet EU law requirements
Today’s ruling of The Grand Chamber of the Court of Justice found EU-US Privacy Shield Decision 2016/1250 to be invalid, as the US laws on data protection are not strict enough to meet law requirements of European Union and ensure the same level of privacy that is provided by EU’s General Data Protection Regulation (GDPR). In practice, it means that companies, which transfer data from the EU to the US have to establish a new legal agreement for legal compliance. At the same time, the court has decided that Decision 2010/87, which established certain contractual clauses for data transfers to third countries, is still valid. The decision concerned Mr Maximilian Schrems’ complaints about data transfers of his personal information from Facebook Ireland to Facebook Inc. located in the USA. Schrems claimed that US laws do not offer sufficient protection, and he wanted such data transfers to be prohibited. The court rejected his appeal in 2020, and today’s ruling further confirmed that the use of standard contractual clauses does not violate GDPR.