In a significant legal judgment last week, the Court of Justice of the European Union (CJEU) declared that the EU-US Privacy Shield (relied on many businesses to transfer personal data between the US and the EU) is invalid!
Here’s the context: Since 2016, UK businesses have been able to freely transfer personal data to and from the US under the EU-US Privacy Shield, but that now looks set to change.
Why does this matter to your business? If you rely on the Privacy Shield to transfer personal data to organisations within the US, you may no longer be able to do so!
But don’t panic… the Information Commissioner’s Office (ICO) (the UK’s independent body for upholding data protection) has advised businesses that currently rely on the Privacy Shield to transfer data to continue doing so while it reviews its guidance, but has asked other businesses not to start using it now. They are working on guidance about what you should do instead urgently and we’ll update you as soon as we can.
What if I transfer data outside the EEA to countries other than the US? The CJEU’s judgment also suggests that businesses relying on Standard Contractual Clauses for data protection when transferring data internationally may need to take additional steps to ensure that the data is properly protected. Unlike the Privacy Shield, SCCs are still valid after the judgment, but extra precautions might be needed. Until the ICO updates its guidance, if you rely on SCCs to transfer data use our Ask a Lawyer service to speak to a lawyer if you have any concerns.
For detailed guidance about transferring personal data inside and outside the EEA, see our Q&A on Sharing personal data.