The EU Court of Justice has made a decision today to invalidate the EU-US Privacy Shield agreement. This is a significant change to the privacy landscape in the United States for companies transferring personal information from the EU. The short version of what was decided is that US companies could not provide reliable protections for the information of EU data subjects due to government surveillance practices.
In the same decisions, Standard Contractual Clauses were found to be valid. This allows an avenue for US companies to continue to transfer data assuming adequate data protections are put in place for the transfer. Additionally, Article 49 provides for derogations for the legal transfer of data outside of the EU including consent of the data subject and to establish or in performance of a contract.
Privacy Ref is reviewing potential approaches to respond to this decision in order to maintain business continuity for our customers. If you have questions, please do not hesitate to contact us.