On Thursday, 16 July, the European Court of Justice issued a judgement which invalidates the use of the US Privacy Shield as a lawful basis for exporting personal data from the EU to the US.
Guidance from supervisory authorities suggests that, if you are currently using Privacy Shield, to please continue to do so until new guidance becomes available. However, you are urged not to start to use Privacy Shield during this period.
The Court has also ruled that the Standard Contractual Clauses (SCCs) transfer mechanism used to transfer data to countries worldwide is, in principle, valid, although it is clear that, in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable. This is an issue that will require further and careful examination, not least because assessments will need to be made on a case by case basis. Additional safeguards, beyond the SCCs, may be required.
What you should be doing now.
- Watch out for guidance from supervisory authorities, the European Data Protection Board and the European Commission.
- Assess what data is being transferred outside the EU and on what basis.
- Understand where you are currently using Privacy Shield as a lawful basis.
- Engage with those processors to determine their response to the judgement.
- Determine whether any contractual documents require amending, perhaps with SCCs or even Binding Corporate Rules (where relevant)
- Continue to update your data mapping and processor section as required and as more clarity becomes available, refresh your privacy notices each time you update your data mapping.
We will update this article and our help section to give you the latest developments on the situation.