RPC comments on ECJ's Schrems II judgment
The European Court of Justice has issued today a landmark data protection judgment that will cause a GDPR compliance headache for many companies in the UK and EU.
In the so-called "Schrems II" litigation, the court has declared that the EU-US Privacy Shield arrangement, which many EU companies rely on to validate transfers of personal data to the US, is invalid.
The full judgment can be accessed here.
Commenting on the EU court's decision, City headquartered law firm RPC partner and data protection lawyer Jon Bartley said:
"This is an important decision for the thousands of UK and EU companies that rely on Privacy Shield to ensure that data transfers to affiliates and suppliers in the US are lawful. It will have a similar impact to the 2015 decision which struck down the Safe Harbor arrangement and led to many US vendors revising their customer contracts to incorporate Standard Contractual Clauses (SCCs). It now remains to be seen whether the EU and US will be able to find an alternative solution that will succeed where their two previous efforts have failed, although this might require the US government to introduce domestic legislation to address the key concerns regarding its surveillance activities.
Also, although the court has upheld the validity of the SCCs, it has made clear that national data protection authorities are under a duty to suspend or prohibit transfers based on the SCCs if they cannot be complied with in the country to which the data is being transferred. So we also have the risk that an EU data protection regulator declares the SCCs insufficient for data transfers to the US or other countries. This would cause significant problems for businesses given that the SCCs are the primary mechanism used for data transfers outside the EEA."