Read on Twitter
If your company is one of the 5378 who have certified under U.S. #Privacy Shield, your world got rocked last night. /1
Despite Privacy Shield having been approved and re-approved over the years, it died last night. TL;DR - if you were relying on Shield, you now have to put Standard Contractual Clauses in place with your EU data exporters. /2
The reason for this is that the EU Court of Justice just said that because of FISA Section 702, the fact that our privacy ombudsman is not a tribunal, data subjects have no remedy against the government here, /3
and our government in its current form couldn't possibly care less about an individual's privacy if it gets in the way of law enforcement or security (pretty much the Court's words, not mine), /4
anyway because of all that, US companies can't possibly be trusted to keep data subjects information protected at the level required under the GDPR because if the government comes knocking, they have no choice. /5
This was not a surprising decision, particularly given the fact that the defendant in the case that gave rise to this was Facebook 
. But it still has a real and meaningful impact on thousands of U.S. companies this morning. /6
. But it still has a real and meaningful impact on thousands of U.S. companies this morning. /6
The full text is here - the good stuff starts at paragraph 163. http://uria.europa.eu/juris/document/document.jsf?text=&docid=228677&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=9715083 /7
The Court's contempt for our surveillance state is fairly palpable. (Side note, I don't think this bodes well for an adequacy decision in the CCTV-happy UK either). /8
Good news, the standard contractual clauses that now have to replace reliance on Privacy Shield are just that - standard - so drafting them is not wildly expensive. Bad news - changing up all your practices to comply with them might be. /End
P.S. - Thanks @EuroPaulB for making me correct this - Standard Contractual Clauses are available now. They could be invalidated on a case-by-case basis by any of the Member State supervisory authorities at any time. After that, there are no mechanisms left.
