How organizations should now think about data protection

After the Privacy Shield court ruling, organizations will need to re-think the safeguards around personal data transferred outside of the EU.

On 16 July 2020, the European Court of Justice (CJEU) invalidated the European Union (EU)-US Privacy Shield Decision, while upholding the validity of the Standard Contractual Clauses Decision (SCC Decision), and therefore the use of standard contractual clauses in order to transfer personal data to third countries.

The judgment compared and contrasted in detail the data protection regime in the US with that in place within the EU. Coming five years after invalidating the ‘Safe Harbor’ arrangement, which protected organizations transferring personal data from the EU to the US, an initial reading of the CJEU’s Privacy Shield decision suggests that organizations transferring data from EU jurisdictions to the US will no longer find it relatively straightforward, with significant additional measures now required.

However, our more business-oriented pragmatic view is that there are a number of elements in the decision which do not necessarily mean that this is the case. Most organizations will need to re-think their data strategy when it comes to EU data – including dealing with jurisdictions other than the US – but this may not necessarily halt business operations. Depending on features of the local legal system in third party countries receiving EU data, transferring entities will need to establish additional safeguards when access to personal data by public authorities is not balanced, according to EU expectations.

See the full article, here.

EY Law key contacts:

Fabrice Naftalski

EY Global Head of Data Protection Law Services

Peter Katko

EY Global Digital Law Leader