On July 16, the European Court of Justice (ECJ) published its judgement on the adequacy of the protection provided by the European Union (EU)-United States (US) Privacy Shield (the Judgement).
In the Judgement, the ECJ held that the current EU-US arrangement for the transfer of personal data between the two jurisdictions is invalid. This means that companies can no longer rely on this mechanism for transferring personal data from the EU to the US, which could have far reaching consequences on financial market participants and companies more generally.
Contrastingly, the ECJ has upheld the validity of standard contractual clauses (SCC) as a means of transferring personal data between the EU and third countries (i.e. non-EU countries), provided that the relevant EU regulator has not prohibited the transfer of personal data to a third country where, in light of all the circumstances of that transfer, the standard EU data protection clauses are not, or cannot, be complied with.
In practice, companies using the SCCs should carry out due diligence before transferring personal data to a third country where the SCCs are being used. Recipients of that data have an obligation to inform the exporter where their local laws mean that they cannot comply fully with the SCCs, such as local laws with high levels of surveillance powers.
The Judgement is available here.