Five tips for EU-U.S. data transfers post-Privacy Shield
On 16 July 2020, the Court of Justice of the European Union (“CJEU”) decided that EU Commission’s Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield is invalid. According to the CJEU, the Privacy Shield was not fit for purpose and had to be scrapped immediately. Companies were left scratching their heads as to what they could do to ensure data transferred between the European Union and the United States complied with the GDPR, EU’s data protection law.
While the CJEU had highlighted the problems, it did not suggest any solutions, especially as to the adequacy of the other two popular mechanisms to enable safe transfers, so-called Standard Contractual Clauses (“SCCs”) and Binding Corporate Rules (“BCRs”). The European Data Protection Board (“EDPB”) was also little help, publishing a FAQ that most notably said there would be no “grace period.”
In the meantime, however, there are several steps companies can take to protect themselves from potential GDPR violations when transferring data between the European Union and the United States or another third country with similarly strong surveillance laws. A newly published article on Compliance Week presents 5 tips for temporary EU-U.S. data transfers.