On 16th July, in a decision that will have far-reaching implications for all organisations that send personal data outside the EU, the Court of Justice of the European Union (CJEU) decided that:
- Privacy Shield is invalid as a mechanism for transferring personal data to the USA; and
- Standard Contractual Clauses (SCCs) cannot be used without also taking steps to check the data to be transferred will be adequately protected in accordance with the GDPR.
This decision means that all organisations that use American businesses that rely on Privacy Shield will need to put in place one of the alternative arrangements permitted by the GDPR.
A list of the US businesses that use Privacy Shield can be found here. These include some very high-profile companies, that many UK organisations use, including Facebook, Google, HubSpot, Mailchimp, and Microsoft.
This decision means that:
- There can be no new transfers of personal data to the USA via Privacy Shield
- All current arrangements to transfer personal data outside the EU via SCCs will need to be reviewed