CJEU declares privacy shield invalid

The Court of Justice of the European Union (the “CJEU”) has just issued a decision relating to transfers of personal data to the US.

By way of background, the General Data Protection Regulation (“GDPR”) provides that personal data may only be transferred outside of the EU subject to certain conditions/criteria/safeguards. In this respect, to date, a number of entities would transfer personal data to a US entity in reliance of the fact that the US based recipient was a member of the Privacy Shield, given that the Privacy Shield was considered to be a mechanism that offered equivalent safeguards for personal data to those imposed by GDPR.

By means of this ruling, the CJEU has declared that the Privacy Shield can no longer be relied upon as a ground for transferring personal data since its protections are not deemed adequate. Transferring personal data to third countries without adequate protections or other legal grounds can carry hefty penalties under GDPR.

What should you do?

Step 1 – You should determine whether you are transferring personal data to an entity in US – e.g. because you have engaged a US entity to provide you with certain services, such as a data storage or hosting provider, or you form part of a group of companies that has entities located in the US. If you are not, then this decision might not be of immediate importance to you but should be borne in mind.

Step 2 – If you are / were transferring personal data to the US, you should check the processing grounds that you were relying on when transferring such personal data. If you relied on the Privacy Shield to do that then, since that ground no longer exists, you need to re-assess the situation and either stop transferring data or adopt other GDPR-safe procedures such as EU approved standard form contractual arrangements, then again this decision might not be of immediate importance to you but should be borne in mind.

We are closely monitoring the situation, however please feel free to get in touch with us on gdpr@ganadoadvocates.com should you have any queries on how this may impact you further.