“Today’s ECJ decision creates a challenge for more than 5,300 U.S.-based companies—including over 250 with headquarters in Europe—that relied on the Privacy Shield to transfer personal data to and from Europe,” said Thomas Boué, Director General of Policy—EMEA at BSA. “70 percent of the companies certified to the Privacy Shield were SMEs, and they will now have to spend time and resources finding alternatives to carry out daily business transactions like processing payroll, sending emails, or storing documents on cloud-hosted servers.”
“Companies need to have reliable and stable mechanisms to send data from the EU to the United States. This is an unwelcome development at a time when businesses on both sides of the Atlantic are focusing on recovering from the economic impacts of Covid-19 and are increasingly relying on data-driven tools and services to do so,” Boué added.
“BSA is studying the details of the decision. We stand ready to work immediately with the European Commission, the US Government, and the transatlantic business community, who share the common goal of finding a new, sustainable data transfer mechanism that will work for the long term,” said Boué. “More positively, the Court has upheld the ability to use Standard Contractual Clauses as a responsible, trusted tool to transfer personal data outside Europe, including to the United States.”
Standard Contractual Clauses – or SCCs – are the main transfer mechanism used by 90 percent of companies that transfer data internationally. SCCs, which are issued by the EU Commission, were also under review by the ECJ. SCCs underpin transfers of personal data from the EU to some 180 countries, including Australia, Singapore, South Korea, Brazil, India, and Mexico. These clauses impose a range of contract-based obligations help ensure EU law’s strong privacy protections flow with any personal data sent outside of the EU. The SCCs impose mandatory safeguards and companies that use SCCs also apply additional safeguards that are tailored to each specific transfer.