It was in the air after A-G Saugmandsgaard’s conclusion last December, but now it’s official. The transfer of personal data from the European Union to organizations in the United States cannot be based on the Privacy Shield instrument, according to the highest judicial institution of the European Union. What does this mean?
The GDPR stipulates that the transfer of personal data to a third country can in principle only take place if the third country guarantees an adequate level of protection. The protection should broadly correspond to the protection afforded within the Union, the European Court ruled in 2015 in Schrems I, which declared the Safe Harbor instrument invalid.
In 2016, the European Commission and the authorities in the United States made new arrangements about the exchange of personal data, the Privacy Shield. According to the Commission, an appropriate level of protection would now be in place, provided the recipient organization in the United States certified for the Privacy Shield.
The European Court thinks otherwise.
Companies and organizations in the European Union that currently transfer personal data to organizations in the United States that are Privacy Shield certified have two options: either they stop the transfers (for example, by terminating the contract or agreeing that the personal data will be stored and processed in European data centers) or they provide an alternative instrument.
Regarding alternatives, it makes sense to use standard contractual clauses (SCCs) approved by the European Commission. The judgment of the European Court shows that these SCCs are valid (at least the controller to processor variant thereof), although the European Court also makes some comments that should caution the use of SCCs. It is therefore still possible to transfer personal data to organizations in the United States, but caution is advised.
If you want to know more, please contact us.
Jeroen van Helden, attorney at law IT, IP & Privacy