“If your organisation transfers personal data over to the US or outside of Europe at all, then the European Court of Justice’s decision on 16 July will have a significant impact on your data transfer arrangements.”
In our latest video, Isabel Ost, director and solicitor, KPMG Law, discusses the impact of the latest rulings on personal data transferred from Europe to the US, and also on data transferred in.
Previously, both the US Privacy Shield and standard contractual clauses were created to ensure that personal data transferred outside of Europe was protected to a standard the European Commission was happy with.
But a recent case brought about by Austrian privacy campaigns, Max Schrems, asked the Irish Data Protection Authority, and consequently the European Court of Justice to review just how secure the privacy shield and standard contractual clauses are. On 16 July, the court ruled that data was not sufficiently protected in the US.
While using standard contractual clauses is still a valid way of protecting personal data leaving Europe, the laws of the country that you’re sending the data to need to be reviewed on a case-by-case basis. This also means that post-Brexit, UK surveillance laws will be closely scrutinised.
If your organisation transfers personal data outside of Europe, you should look out for guidance from your local data protection authority. You should also review your international transfer arrangements, both with third parties and inter-group, and put in place appropriate arrangements going forward to make sure that that data is adequately protected.
If you are based in the UK and you receive personal data from Europe, you should now be looking at how you ensure personal data you receive is adequately protected, and that includes looking at your Binding Corporate Rules before the end of the transition period.
Find out more on how we can help you handle legal issues and stay compliant so you can harness the full potential of data, digital and technology.