In July the European Court of Justice (ECJ) ruled that the US privacy shield, which had previously allowed data transfers of personal data from the EU to the US in respect of businesses who were signed up to it, did not provide sufficient safeguards for the protection of EU citizens personal data. What does this ruling mean for businesses who need to transfer personal data?
The GDPR restricts the transfer of personal data outside of the EU, unless the country in question is considered safe or other safeguards are in place. Where a country is considered to offer adequate protection for personal data, the EU will issue an adequacy decision – a formal notice which organisations can rely upon as a basis for transferring data to that country. A partial adequacy notice has previously been applicable to organisations in the USA who were signed up to a privacy shield scheme, however the ECJ decision now means that businesses who have been relying on the privacy shield to transfer data to the USA can no longer do so. If they do, they will be in breach of the GDPR and should therefore suspend such transfers until such a time they can establish an alternative lawful basis.
Transfer of data includes actually sending personal data to a US based client, customer or supplier but also where data is included in software hosted in the US or backed up on US based servers. However, all is not lost and there are other safeguards or exceptions that can be applied. These include; obtaining the explicit consent of the individual concerned, legal proceedings where necessary, some one-off transfers or using EU approved Standard Contractual Clauses (SCCs).
Use of standard contractual clauses is common where data is transferred on a regular or ongoing basis, with the clauses part of the contractual agreement between the parties. However, with both the standard terms, care must be taken to ensure that they are used correctly and that all conditions are met, as otherwise the transfer may be in breach of the GDPR.
If you require any advice on the international transfer of personal data or any other aspect of data protection the Lawspeed data protection team can assist. Please contact them on 01273 236 236 or email [email protected]
Adrian, a highly experienced lawyer, founded Lawspeed in 1997. He is responsible for developing our extensive portfolio of products and services, including the widely used Lawspeed contract templates. Adrian is an expert on “recruitment law” and specialises in contracts, regulatory compliance, employment status and dispute handling. He is chair of the trade body the Association of Recruitment Consultancies, the only lawyer lead recruitment trade body in the UK. Adrian and his co-director Ravi devised Standards in Recruitment as a vehicle for helping drive up standards and compliance in the industry.
Adrian is our lead in discussions with the government over regulatory evolution. Apart from assisting with client support, Adrian’s primary role is research and development into methods of business delivery, our latest service Proterms being his most recent project. Adrian heads our IR35 lawyers team.