The Privacy Shield was an agreement negotiated in 2016 between the European Commission, the US Department of Commerce and Switzerland to provide a mechanism for companies to transfer data from the EU and Switzerland to the United States. Under the Privacy Shield companies could self-certify that the necessary safeguards have been put in place for the protection of transatlantic transfers of personal data. The Privacy Shield subsequently received approval from the European Commission in the form of an adequacy decision in July 2016. The adoption of this decision meant that the EU-US Privacy shield offered an adequate level of protection for personal data.

After its adoption, a group of European privacy activists quickly filed a legal challenge to the Privacy shield as they argued that it failed to uphold fundamental EU rights. At the same time, an Austrian privacy activist, launched a judicial process in Ireland against the Standard Contractual Clauses (SCC) as he considered that they did not prevent the US Intelligence Services from claiming its personal data transferred to US Companies. The Standard Contractual Clauses (SCC) are a set of model contractual terms that can be used between EU-based data exporters and non-EU based data importers and are commonly used for the transfer of personal data outside the EU. The clauses predate the GDPR and have not been updated since the GDPR came into force in 2018.

The CJEU concluded that US law enforcement agencies have wide-ranging access to personal data that are received by Privacy Shield-certified entities in the U.S., and that such access is not subject to equivalent protections to those that exist under EU law. In particular, the CJEU found that access to transferred data by US law enforcement agencies is not subject to the principle of proportionality and is not limited to what is strictly necessary. The CJEU also held that there is no mechanism that enables individuals to bring complaints about the processing of their personal data in a manner equivalent to the rights that exist under EU law. Accordingly, the adequacy decision from 2016 was invalidated and the EU-US Privacy Shield cannot longer be usedfor transatlantic data transfers.

The CJEU also examined the validity of Standard Contractual Clauses (SCC). The CJEU ruled the SCCs are valid. However, the CJEU underlined that a correct application of the SCCs require the parties to assess whether they can comply with their respective obligations under the SCCs in the light of the data protection laws in the country where the data recipient is established. Supervisory authorities are required to stop or prohibit such transfer to a third country where the SCCs are not or cannot be complied with.