The Privacy Shield framework, which thousands of companies located in the United States have relied upon to receive transfers of personal data from the European Union, the United Kingdom, and Switzerland, has been invalidated by the European Union Court of Justice (ECJ). According to the ECJ, the United States approach to data privacy is not “essentially equivalent” to what is required in the EU due to surveillance programs utilized by US public authorities which are “not limited to what is strictly necessary.”
Companies who have been relying on the Privacy Shield will now need to either utilize standard contractual clauses or binding corporate rules, and will also likely need to amend their Privacy Policies.