On 16 July the European Court of Justice (ECJ) decided to invalidate the EU-US personal data protection agreement (“Privacy Shield”), meaning that it is no longer available as a mechanism for legitimizing transfers of personal data from the EU/EEA to the US.
The ECJ also ruled that the European Commission's Standard Contractual Clauses ('SCCs') remain valid as a legal mechanism for transferring personal data outside the EU and the EEA. As of now, European companies will not be able to rely anymore on the fact that a company self-certifies as “Privacy Shield Compliant”. Instead, companies will need to use Standard Contractual Clauses (SCCs). In particular, the European Commission has approved Standard Contractual Clauses between an EU/EEA data controller to non-EU controller and from an EU controller to non-EU or EEA processor.
The European Commission has taken note of the ECJ decision and will consider restarting negotiations with the US government to find a new agreement to allow easier international data transfers between the EU and the US. Euralarm partner Orgalim released a short statement on the day of the judgment.
Please keep us informed on how you or your members are working on this issue/or not by 31 July 2020.