In order for our site to work, small files called ‘cookies’ have been placed on your device. These mandatory cookies do not process any personal data.
We would also like to use analytics cookies to understand how our site is used by visitors and then use this information to improve our site and the experience of using our site. The service we use is Google Analytics.
Please indicate whether or not you are happy to allow the use of these analytics cookies by selecting one of the options below. You can read more about our cookies before you choose and read our Privacy Notice to find out more information on how we use your personal data
Published: 24 July 2020
The Office of the Data Protection Authority (ODPA) is alerting local organisations to take note of a recent judgement from the Court of Justice of the European Union (CJEU) which affects all businesses who transfer personal data outside of the Bailiwick and the EU.
On 16 July 2020 the CJEU ruled that the EU-US legal framework for data transfers known as ‘Privacy Shield’ is invalid. This means that local organisations need to take steps outlined below to ensure they have proper safeguards around any data transfers that rely on either ‘Privacy Shield’ or EU ‘Standard Contractual Clauses’.
The now invalid Privacy Shield was a legal framework between the EU and the United States of America (US) that allowed personal data from the EU to be transferred to the US. ‘Standard Contractual Clauses’ (SCCs) are a set of terms and conditions organisations use to protect personal data transferred outside the European Economic Area (EEA).
The CJEU ruled on both Privacy Shield and SCCs in their judgement of 16 July 2020. They concluded in Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Case C-311/18, “Schrems II”), that Privacy Shield is invalid but affirmed SCCs’ validity.
The background which led to this CJEU judgement goes back many years and involves Maximillian Schrems, an Austrian activist and author. In 2013, Schrems filed a complaint against Facebook Ireland Ltd with the Irish Data Protection Commissioner seeking to stop Facebook transferring personal data from Ireland to the US. Schrems’ complaint related to Facebook’s alleged involvement in the ‘PRISM’ surveillance programme.
The ODPA emphasises that the CJEU’s judgement:
The Bailiwick is currently recognised by the European Commission as an adequate jurisdiction for the purposes of the General Data Protection Regulation (GDPR). This means that personal data can flow freely between the Bailiwick and the EEA.
The ODPA is keen to provide clear and consistent advice and support to local organisations. This multi-layered and complex judgement requires analysis and guidance. The European Data Protection Board (EDPB) have published an early statement indicating that further guidance will be published in due course which will provide clarification and support consistency.
In the meantime, considering the immediate effect of Privacy Shield being invalid, any local organisations that may be affected should do the following: