In summary, the CJEU has:
- Invalidated the use of the Privacy Shield as an adequate safeguard when transferring personal data outside the EEA to the United States – primarily due to potential unrestricted U.S. government access.
- Found the SCCs to be an adequate safeguard when transferring personal data outside the EEA to third parties. However, depending on the prevailing position in a particular third country, the adoption of supplementary contractual provisions by the controller to ensure compliance with that level of protection afforded in the SCCs may be required.
To conclude, all data transfers from the EEA to countries outside the EEA will have to be assessed on a caseby- case basis to determine whether additional clauses, in addition to those afforded under the SCCs or even under binding corporate rules, have to be implemented by organizations. It is expected that EU data protection authorities will grant more guidance regarding specific countries.
To read the full article, please download the PDF below.