Court has ruled that the Privacy Shield framework is no longer valid for the purpose of US/EU data transfers amid fears over surveillance and the lack of data safeguards in the US.
Today in Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems C-311/18, the European Court of Justice has delivered its binding ruling with regards to data transfers from the EU to the US. A key ECJ ruling effectively rejected the Privacy Shield framework agreement between the EU and the US over the clash of the EU privacy regime and the US surveillance laws.
Accordingly, it is no longer lawful to transfer personal data from the EU to the US on the basis of the Privacy Shield framework.
Despite the rejection of the Privacy Shield framework, transfers on the basis of the Standard Contractual Clauses framework have been upheld and remain to be a valid data sharing tool which is used by millions of companies across the world.
We are aware that many of our clients may be transferring personal data on the basis of the Privacy Shield framework. Accordingly, we advise our clients to check:
- if you or any of your contractors, who have access to your personal data, store such data on the servers located in the US; and
- ensure that transfer of personal data from the EU to the US is on the basis of the Standard Contractual Clauses rather than the Privacy Shield framework.
Please contact us if you are unsure what this might mean for you.