• Skip to primary navigation
  • Skip to main content
LinkedInTwitterYouTube
Private Equity Magazin
Advanced search
  • EN
  • DE

Private Equity Magazin

Private Equity Magazin

The magazine for private equity-professionals | Private Funds • M&A • Tax

  • Home
  • Latest news
    • Topic pages
  • Private Funds
  • M&A
  • Tax
  • Events
  • Background
    • Authors
    • About us
    • MUPET
    • Contact
  • DE
  • Advanced search
  • Monthly UpdatesPodcastLinkedInTwitterYouTube

CJEU declares Privacy Shield invalid

On July 16, 2020 the Court of Justice of the European Union (CJEU) passed a groundbreaking ruling on Privacy Shield and standard contractual clauses – with significant implications for international data transfer.

M&A

by Dr. Ralf Bergjan, ehemals POELLATH, Christine Funk, POELLATH, Benjamin Maciejewski, ehemals POELLATH
27 July 2020
  • European Union
  • exchange of data
  • Due Diligence
  • European Court of Justice (ECJ)
  • Data Protection
Privacy Shield
With its ruling, the European Court of Justice overturned the EU Commission’s privacy shield decision. Source: G. Fessy / Court of Justice of the European Union

On July 16, 2020 the Court of Justice of the European Union (CJEU) passed a groundbreaking ruling on Privacy Shield and standard contractual clauses, which will have a significant impact on international data transfer, particularly on data transfer between the USA and the Federal Republic of Germany. In particular, the ruling means that the transfer of personal data to the USA is no longer possible on the basis of certification in accordance with the Privacy Shield. However, the CJEU has confirmed standard contractual clauses, while pointing out the guarantees and obligations of the contractual partners under the standard contractual clauses.

Key Facts

  • The transfer of personal data to a country outside the European Union is in principle only permitted if this country offers an adequate level of data protection and the European Commission has determined this in a so-called adequacy decision.
  • The adequacy decision of the European Commission concerning data transfers to the USA on the basis of Privacy Shield is invalid.
  • Data transfers to Non-EU countries on the basis of standard contractual clauses are still permissible. Compliance with the guarantees and obligations under the standard contractual clauses must be critically reviewed with the contractual partner, especially in the case of data transfers to the USA.

Background of Privacy Shield

After the possibility of self-certification by the US Department of Commerce and the European Commission (so-called Safe Harbor) was declared invalid by the CJEU on October 6, 2015, the US Department of Commerce, together with the European Commission, subsequently drew up a new catalogue of principles, which was given the name Privacy Shield. By decision of July 12, 2016 the European Commission declared that the United States ensures an adequate level of protection for personal data transferred from the European Union to an organisation in the US under the Privacy Shield.

Judgment of the CJEU

The CJEU ruled that the decision of the European Commission concerning Privacy Shield of July 12, 2016 is invalid.

The CJEU justified its ruling, inter alia, by the fact that the decision of the European Commission concerning Privacy Shield gives priority to the requirements of national security, public interest and compliance with US law, which allows interference with the fundamental rights of the persons whose data are transferred to the US. The principle of proportionality is not respected, since the surveillance programs based on US legislation are not limited to what is strictly necessary.

Furthermore, the data subjects are not provided with effective legal protection before the Ombudsman. The data subjects would not benefit from guarantees equivalent in substance to those required under Article 47 of the Charter of Fundamental Rights of the European Union.

The CJEU confirms the validity of the decision of the European Commission of February 5, 2010 on standard contractual clauses for the transfer of personal data to processors established in Non-EU countries. The decision contains effective mechanisms that can ensure in practice that the level of protection required by European law is complied with.

However, according to the CJEU, the parties must first check whether the standard contractual clauses and thus the required level of protection can be met in the Non-EU country concerned.

Consequences for the M&A-Practice

Data transfers to the US that have been based on Privacy Shield so far have to be stopped or changed to another legal basis (e.g. standard contractual clauses). Without appropriate measures, data transfers to the USA are illegal with immediate effect and can be fined.

The parties must critically examine whether the obligations contained in the standard contractual clauses can be complied with, so that breaches of obligations do not give rise to claims for damages for the person concerned or fines.

On the seller’s side, when concluding the non-disclosure agreement (NDA), it must be checked whether prospective buyers come from outside the EU. In the absence of an adequacy decision by the European Commission, standard contractual clauses must be concluded. It must be discussed with the prospective buyers whether they can really comply with the guarantees and obligations in the standard contractual clauses. If necessary, the data room provider should also be consulted.

On the purchaser side, in the due diligence it must be examined whether the target company transfers personal data to Non-EU countries, and whether this is based on Privacy Shield or on standard contractual clauses. Depending on the result, appropriate guarantees or indemnifications must be included in the share purchase agreement (SPA) in line with the CJEU’s jurisdiction.

Print the article

  • twittern 
  • teilen 
  • mitteilen 
  • E-Mail 

The author

Dr. Ralf Bergjan

ehemals POELLATH

show all posts

The author

Christine Funk

POELLATH

Profile | Contact

show all posts

The author

Benjamin Maciejewski

ehemals POELLATH

show all posts

Testbild Featured Post

The M&A course communicates the basics of a successful implementation of M&A transactions.


More

Also interesting

  • Alternative Funds – Global Practice Guide 2020
  • The Private Wealth and Private Client Review
  • Brexit – New rules for data transfer between companies
  • Update – State corona aid further specified
Top
Private Equity Magazin
  • About us
  • Contact
  • Imprint
  • Data Protection Policy
Follow us on TwitterFollow us on LinkedInFollow us on YouTube

The experts of Private Equity