Many transfers of personal data to the USA have relied upon the Privacy Shield to safeguard that data.  The Privacy Shield was an agreement between the European Union (EU) and the United States of America (USA) that allowed for the transfer of personal data from the EU to the USA.

However, on 16 July 2020, the Court of Justice of the European Union (CJEU) decided that the ‘Privacy Shield’ is invalid.

In addition, while the CJEU confirmed that Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs) can be relied upon to transfer personal data, these must be reconsidered to ensure that the safeguards are not overridden by any laws that apply in the country to which the personal data are transferred.

The CJEU Decision, Case C-311/18 – Data Protection Commissioner v Facebook Ireland and Maximillian Schrems, can be read at:-

https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:62018CN0311&from=EN

The CJEU decision is complex and requires further careful consideration. The European Data Protection Board (EDPB) have published a statement indicating that further guidance will be published in due course which will provide clarification and support consistency.

The statement can be read on the EDPB website at:-

https://edpb.europa.eu/news/news/2020/statement-court-justice-european-union-judgment-case-c-31118-data-protection_en

In the interim, Isle of Man businesses and organisations need to review any international transfers of personal data to:-

1.  Determine if the Privacy Shield has been relied upon for data transfers.

Note: This may not be immediately apparent and the use of any third party applications such as:- Facebook, LinkedIn, Twitter, Instagram, Eventbrite, MailChimp, etc. need to be considered.

2.  If the Privacy Shield has been relied upon, consider whether it is necessary to continue to transfer personal data.  If so, then an alternative will need to found, for example, whether the transfer falls within a derogation set out in Article 49 of the Applied GDPR or in Schedule 10 of the GDPR and LED Implementing Regulations 2018.

3.  Any reliance upon SCCs or BCRs to transfer personal data must also be reviewed to ensure they provide appropriate safeguards. This is not limited to transfers to the USA.

Source: IOMIC (27 July 2020)