The CJEU published today its decision in the “Schrems II” case: the European Court ruled on the validity of the model clauses for transferring data internationally (the Standard Contractual Clauses, SCCs), and on the invalidity of the Privacy Shield, the EU-US data sharing mechanism, due to surveillance concerns.
The court said that US government surveillance programmes don’t meet the required level of protection guaranteed under GDPR nor grant enough rights to data subjects against the US authorities, despite the existence of the Ombudsperson mechanism.
All companies transferring information under the Privacy Shield will need to take action to comply to GDPR.
Our data protection team has looked at the judgment and analysed the key points in an article on the Cookie Jar, where we provide immediate guidance for businesses affected: https://www.bristows.com/news/cjeu-decision-on-schrems-ii-model-clauses-valid-privacy-shield-invalid/