Landmark European Court of Justice ruling could “take out” Standard Contract Clauses and Privacy Shield
If, like most organisations you transfer personal data outside the EEA, (think about your Facebook page, Twitter account, Dropbox, Apple, Mailchimp etc.) a legal case with a familiar backstory could end Privacy Shield and the EU Standard Contract Clauses. (SCCs). Privacy Shield and SCC’s are the two most popular GDPR safeguards used as a legal basis to transfer personal data to countries outside the EEA. And, the chances are, that many organisations will be relying on one or both of these mechanisms in order to tick the GDPR rule that restricts transfers of personal data outside the EEA.
On 9th July, the CJEU heard a claim that SCCs are invalid because they fail to prevent U.S security bodies from accessing personal data transferred to the U.S. (A similar argument led to Safe Harbor being disgraced and replaced with Privacy Shield. Remember?)
In evaluating the clauses, the CJEU will no doubt be scrutinising Privacy Shield too.
The fact that SCCs apply to most international transfers, and not just to the U.S, is a point which has not eluded us all. If successful, the claim will spell massive disruption (again) to the transfer of personal data worldwide. A ruling is expected in 2020.
We will be keeping a close eye as the judgement will affect many businesses.
Paula Williamson, Solicitor at The Information Law Practice www.ilp.legal