The EU-US Privacy Shield agreement, which enabled the transfer of EU citizens’ data to the US without further safeguards, has been struck down by a decision of the European Court of Justice (ECJ).
The decision will have a huge impact on the thousands of organisations that have relied on Privacy Shield to transfer personal data to the US.
In a statement issued today the judges expressed concern that transfers of personal data to organisations with Privacy Shield certification were not limited to what is “strictly necessary”. Concerns focused on the potential exposure of EU citizens to surveillance in the US.
The ECJ has confirmed that standard contractual clauses remain a valid mechanism by which personal data may be transferred to a third country and many US companies that did not benefit from Privacy Shield certification have already been relying on those standard contractual clauses. The most logical solution for EU companies that previously relied on Privacy Shield to transfer data to the US may be to incorporate standard contractual clauses into their arrangement with the US company. It is likely that the standard contractual clauses will come under closer scrutiny in the following months, particularly as updates to those clauses have been mooted for some time.
The UK’s Information Commissioner’s Office (“ICO”) has recommended that companies continue to use Privacy Shield until further guidance is provided. Companies that do not currently use Privacy Shield, should not start doing so at this stage. We will provide further information when the ICO updates its advice.
Disclaimer: Anything posted on this blog is for general information only and is not intended to provide legal advice on any general or specific matter. Please refer to our terms and conditions for further information. Please contact the author of the blog if you would like to discuss the issues raised.