Ground-Breaking Court of Appeal Judgment – Privacy Shield Invalid

Lise van den Heuvel


The European Court of Appeal passed a ground-breaking judgment this summer on the exchange of personal data between the EU and the USA.

The General Data Protection Regulation (GDPR) provides that personal data may not simply be transferred to persons or organisations located outside the European Economic Area (known as “third countries”). That is permitted only if those third countries offer the level of protection guaranteed under the GDPR. The GDPR provides that data may be transferred to third countries on the basis of:

  • adequacy decisions;
  • appropriate safeguards; and
  • standard contracts.

The Safe Harbour Framework, which sets out agreements between the EU and the USA on the exchange of personal data, was addressed in one of our earlier newsletters. Organisations that joined that Framework were considered safe processors of European personal data. Austrian privacy activist Schrems successfully argued at the time that the USA did not offer an adequate level of protection that allows the transfer of personal data from the EU to the USA. On 06 October 2015, the European Court of Justice consequently invalidated the Safe Harbour Framework under which personal data was exchanged between the EU and the USA at the time.

The Safe Harbour Framework was replaced by the EU-US Privacy Shield, which was intended to better protect the personal data of European citizens in the USA. The Privacy Shield would allow the US government to access only strictly necessary data. The European Court of Justice recently ruled in the Schrems II judgment that the Privacy Shield also insufficiently guaranteed the protection of personal data exchanged with the US, because the US government was able to access more data than agreed within Europe. US legislature allows intelligence and security services to use data of EU citizens, which goes beyond the agreement to access only “strictly necessary” data.

So what does this judgment mean? Now that the Privacy Shield has been invalidated, personal data of European citizens may no longer be exchanged with the USA under that framework. But the European Court of Justice does still allow the use of standard contracts. They may serve as a valid ground for the transfer of personal data of European citizens to third countries, including the USA. But, in that case, an equivalent level of protection must also be guaranteed in practice. The European Data Protection Board (EDPB) is currently investigating the practical consequences of the judgment and the follow-up steps, if any, to be taken. The EDPB will most likely publish guidelines in the near future for additional measures that organisations may include in standard contracts.

High Fines for Use of Fingerprints

The Dutch Data Protection Authority has imposed a fine of EUR 725,000 on a company that processed fingerprints of its employees. The fingerprints were used for time and attendance tracking. After investigating the case, the Data Protection Authority found that no exception applied on which the company could rely.

Like other biometric data, fingerprints are classified as “special personal data”. Such data may be used only if a statutory exception applies. The possible exceptions referred to in the law for the use of personal data include express permission given by the data subjects and the need to use biometric data for authentication or security purposes. But the company in question could not rely on either of those exceptions.

The question of whether fingerprints may be used for access control, for instance, depends on the required level of security of the building/room or the information systems. Fingerprints may be used, for instance, to give access to nuclear power plants, but not, for instance, in the case of POS systems, because good alternatives are available.

Express consent could also not be relied on as a valid ground for an exception in the case in question, because it involved a dependent relationship between an employer and its employees, which means that those employees were not free to withhold their permission. This fine demonstrates that the use of employees’ fingerprints is unlikely to be allowed. Such use is permissible only if the security of very important buildings of computer systems so requires and no equivalent alternatives are available.

For further information or advice on this subject, please contact This email address is being protected from spambots. You need JavaScript enabled to view it..


XLNC MAGAZINE | No. 06 | October 2020

Interested in becoming a member of XLNC?

If you are a professional services firm with an international client base and are regarded as one of the leading industry practices in your country, working to the highest standards and providing excellent client service, you meet the basic requirements for XLNC membership.

Become a member