The TSUE stated that:
- Transfers of personal data to third countries under the Standard Contractual Clauses (SCC) should be preceded by an analysis of whether an adequate level of data protection is respected in the country concerned,
- The European Commission's decision on the Privacy Shield is annulled because of the risk of significant interference by US services with the fundamental rights of data subjects.
What does this mean?
The TSUE judgment means in practice that transfers of personal data from the European Union to the US under the Privacy Shield have become illegal overnight. The TSUE did not foresee any transitional period. The legal basis for data transfers to the US and other third countries may include standard contractual clauses, with the controller always assessing whether an adequate level of data protection is respected in the third country.
As a consequence, in the case of transfers of personal data to a third country on the basis of standard contractual clauses (also within a single capital group), the data exporter should make an individual assessment of the level of data protection taking into account not only the contractual provisions, but also the laws of the country to which the data are being transferred.
How can we support you?
Due to the increased risk associated with the transfer of data to the US and other third countries, we can:
- Review your company's data protection records and practices
- Verify the legality of the basis for the transfer of personal data to third countries
- Present the risks associated with the application of existing methods of transferring data to third countries
- Propose alternative measures to safeguard the transfer of personal data abroad