New Data Protection Ruling – Privacy Shield Ruled Invalid by the EU Court of Justice
July 23, 2020
Are you transferring data outside of the EEA to the United States or elsewhere? This new ruling means that you will need to make some changes.
Most organisations rely on data transfer agreements known as Standard Contractual Clauses (SCC) to transfer personal data to countries outside of the European Economic Area (EEA).
The General Data Protection Act (GDPR) data protection law states that appropriate safeguards must be in place if data is transferred out of the EU, to the United States or elsewhere.
The EU-US Privacy Shield replaced the Safe Harbour agreement and governed the transfer of EU citizens’ data to the United States.
On 16 July 2020 the Privacy Shield was struck down and confirmed invalid by the Court of Justice of the European Union. This new ruling will have substantial implications for thousands of businesses across the UK currently sharing data with the US.
I am using Mail Chimp / Other Email Marketing provider outside of the EEA, what should I do?
Now that Privacy Shield has been ruled invalid, these firms will be forced to review and sign standard contractual clauses drawn up by Europe that include all the relevant EU approved clauses that allow for the international transfer of data. You can wait to see what happens and if the US can find a suitable solution to appease the EU, or you can move your data to a provider within the EEA.
The Court of Justice findings are “the requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred to that third country”, and that mechanisms in the EU-US Privacy Shield apparently intended to lessen this interference and was therefore not up to the required legal standard of ‘essential equivalence’ with EU law.
If you would like to talk to us about your options, please call us on 01603 858250 and speak to one of our friendly team.