THE EU-US PRIVACY SHIELD, the principal agreement governing the transfer of personal data between the EU and the United States, has collapsed.
On Thursday morning the Court of Justice of the European Union delivered a fatal blow to the primary agreement relied upon by millions of businesses across the European Union to safely and legally transfer data between the EU and the United States.
The decision was handed down as a result of the Schrems II case against Facebook. However, it delivered an unexpected secondary effect which rocked the data protection world: it declared that US law does not provide adequate protection for the privacy and data protection rights of European citizens.
The results of this ruling are simple: you can no longer rely on the EU-US Privacy Shield for routine transfers of personal data. This includes third-party cloud services which base their data storage in the US.
There is a small silver lining: the same ruling also confirmed the validity of the EU Standard Contractual Clauses for transfers between the EU and the US. However, this is likely to result in a large amount of extra work for most businesses, especially smaller businesses who may not have easy access to legal help.
The simplest solution for most UK businesses is to make sure your vendors store data within the UK or Europe. This means:
It's possible that you may need to find alternatives for some services that store data in the US.
If a service is absolutely vital and processes data in the US, make sure it includes a Data Processing Agreement. This agreement needs to implement the EU Standard Contractual Clauses.
If you need any assistance moving your data to a compliant location, we can help. Contact us today for a no-obligation consultation.