There has been a recent change to data protection law that we believe you should be made aware of as it may have a consequence on your business. This follows on from our previous article on the decision, full information is available here.
Outlined below is the scope and nature of the change, and some interim measures you may wish to consider implementing.
A landmark ruling by the Court of Justice of the European Union (CJEU) has ruled that the EU-US Privacy Shield (Privacy Shield) is invalid on the basis that it fails to adequately protect EU citizens’ data.
The ICO (UK privacy regulator), released an initial statement in relation to the ruling confirming that businesses currently using the Privacy Shield should continue to do so until new guidance becomes available, however, they should not start to use Privacy Shield during this period. The ICO published an updated statement on 27 July advising businesses to review their international data transfers and react promptly as new guidance and advice becomes available.
If you previously relied upon the Privacy Shield to transfer data to the US, then you will need to consider your options and alternative mechanisms to permit the transfer of such data. If you do not currently use the Privacy Shield and wish to transfer data to the US then you must not begin to rely on the Privacy Shield and must use alternative methods for the transfer.
As part of the same ruling, the CJEU confirmed that the use of Standard Contractual Clauses (SCCs) (standard sets of contractual terms to ensure compliance with the requirements of the GDPR) remains a valid mechanism to transfer personal data between the EU and the US – on the proviso that you conduct an assessment of the full circumstances of the transfer to ensure the SCCs offer sufficient protection to the personal data. If you rely upon the use of SCCs within your contracts to permit the transfer of personal data between the EU and the US then you can continue to do so, however you are now required to conduct a risk assessment before the transfer is permissible. The duty to conduct an active risk assessment before transferring data also applies in the event that you rely on Binding Corporate Rules (BCRs) (strict agreed rules of conduct between entities to ensure compliance with the GDPR).
We will continue to monitor regulatory guidance and any updates from the ICO and communicate their recommended course of action to you. Should you wish to discuss the contents of this update further and the potential impact this may have upon your business in the interim please do not hesitate to get in touch on 0161 941 4000 or via email.