- EU court decision: transfer of personal data to US technically unlawful
EU court decision: transfer of personal data to US technically unlawful
EU court decision: transfer of personal data to US technically unlawful21st July 2020 - Published by
The Court of Justice of the European Union (CJEU) has taken the decision to invalidate the US Privacy Shield whilst maintaining the validity of the Standard Contractual Clauses (SCCs). This has cast doubt on the steps users of the SCCs need to take to ensure any transfers under them remain valid.
This decision will have a big impact on any business that transfers data – both to the US and to any other country in the world.
US privacy shield and standard contractual clauses
Businesses who previously relied on the US Privacy Shield will now need to ensure they have alternative measures in place to ensure the lawfulness of their transfers. This will include large companies such as Microsoft, Amazon and Google. The CJEU also stressed that companies should not rely blindly on the SCCs and should be assessing, on a case by case basis, whether the country to which they propose to transfer data under the SCCs provides protection to personal data equivalent to that in the EU.
Businesses should therefore be taking stock of where SCCs are used for international transfers and whether these are still appropriate in light of the recent decision. There is a large question mark as to whether transfers from the EU (including the UK) to the US using the SCCs will be lawful given the concerns raised by the CJEU in respect of the US framework for the protection of personal data in its decision.
We will provide a further update in respect of this decision once the ICO’s highly anticipated response to this has been released.
Speak to a specialist data protection lawyer
If you would like to speak to a data protection advisor about your responsibilities as a business surrounding the transfer of data, please contact Rebecca Bainbridge on 0161 838 7986 or email email@example.com.