23 July 2020 – If you want to transfer personal data to a country outside the EEA (which has not been formally approved by the European Commission), then you need to use one of the GDPR-prescribed “transfer mechanisms”. For transfers of personal data to the US, one of the main transfer mechanisms was the EU–US Privacy Shield, a framework which enabled Privacy Shield-registered US companies to receive personal data from EU entities. I say ‘was’, because in its judgment on 16th July 2020 the EU-US Privacy Shield was declared invalid by the European Court of Justice on the grounds it did not provide adequate protections to EU citizens. Specifically, the ECJ was concerned about the lack of oversight of US law enforcement agencies accessing EU citizens’ personal data.
The other main transfer mechanism is for an EEA controller proposing to export personal data and the importer in the non-EEA country to enter into the Standard Contractual Clauses (SCCs), which legitimise transfers of personal data by contract. In its judgment the ECJ made some observations on the SCCs, confirming that prior to exporting personal data the controller must be satisfied that the SCCs can and will be complied with, i.e. it’s not just a question of ensuring that the SCCs are included in the parties’ agreement, but the controller needs to assess the assess the quality of the safeguards in the importer’s country to ensure that individuals’ rights and freedoms will be protected. That said, the SCCs remain a valid transfer mechanism, and are likely to be the first port of call to legitimise EEA-to-US transfers of personal data that no longer benefit from the Privacy Shield.