The Court of Justice of the European Union (the ECJ) has handed down its long-awaited decision in Max Schrems’ latest challenge to EU-US data transfers.
In the latest round of court cases, Schrems brought a complaint against Facebook Ireland for sending his personal data to Facebook in the USA. The complaint first went to the Irish Data Protection Commissioner, then made its way into the Irish court system, and eventually was referred to the ECJ.
The ECJ has decided that:
Based on the ECJ’s own conclusion that US law does not provide an adequate level of privacy protection for EU citizens, there is a significant risk of a future challenge to the use of Standard Contractual Clauses (in particular where that data is transferred to the USA).
This decision will be of interest to all clients who transfer the personal data of EU data subjects, including their employees, to the USA. This includes US-based clients with international operations who:
Businesses who find themselves in this position may need to review their GDPR data-export arrangements, urgently, to assess their level of compliance and likely exposure. The ICO (the UK’s supervisory authority) has published a statement saying that it is considering the impact of the judgment on international data transfers. We are awaiting further guidance.
If you would like to discuss this further, please contact your usual GQ|Littler contact or email Deborah Margolis who is coordinating our client response to this issue.