The European Court of Justice (ECJ) released its decision in the Schrems II case on 16 July 2020.
The Court has overruled the EU-US Privacy Shield which has been relied on by organisations throughout the EU to freely transfer personal data to 5,300 companies in the US since February 2016. The Government had indicated it would be possible for UK organisations to continue to rely on the Privacy Shield following the end of the current Brexit transition period.
The Court has not revoked the Standard Contractual Clauses and these continue to provide an alternative and valid method for transfers of personal data to the US. Many large organisations, such as Microsoft, are already using Standard Contractual Clauses and have procedures in place to roll these out at scale. It is likely that others will be quick to put measures in place.
The current situation mirrors that experienced in 2015 when an earlier EU-US data transfer scheme known as Safe Harbour was unexpectedly overruled by the European Courts. In that instance The UK and European data protection regulators elected not to pursue any immediate enforcement action in respect of ongoing data transfers.
The ICO has yet to issue a full response but has published a brief statement on its website saying “We stand ready to support UK organisations and will be working with UK Government and international agencies to ensure that global data flows may continue and that people’s personal data is protected.”
The Birketts Data Protection Team is currently reviewing the full decision and will be releasing more detailed guidance shortly. Updates will be published on our website and on Twitter. Please follow us on @birkettsLLP for the latest updates.
The content of this article is for general information only. It is not, and should not be taken as, legal advice. If you require any further information in relation to this article please contact the author in the first instance. Law covered as at July 2020.