In case you missed it, one of the most significant events of the summer holiday period in the data world took place in a room in Luxembourg.
The European Court of Justice declared that the EU/US Privacy Shield is incompatible with European privacy laws and therefore is illegal.
This means that data transfers from the EU to the US are no longer permitted.
There will be wide ramifications from this, many of which are not fully clear yet. However, there are a few things businesses in the EEA and UK can be doing:
- Double check your data flows, especially any that might send data out of the EEA (not just to the US)
- Validate that the destination country has adequate protections in place to comply with GDPR
- Ask your partner/data importer to highlight any potential inadequacies in local law
- Put any additional contractual clauses in place
However, the clear ruling from the decision is that US law would overrule any such provisions, so in most scenarios, data transfers to the US are not allowed.
This will affect the UK on the back of Brexit, as the UK will become a Third Party Country after Brexit, and it’s unlikely an Adequacy Agreement will be in place beforehand, although given the UK is currently under GDPR, one would like to think that the gap would not be significant. UK-based data controllers and processors will need to have SCCs in place for transfers from the EU before the end of the year.