The decision of Commission on the adequate level of protection afforded by the EU-US Privacy Shield (so-called Privacy Shield) has been declared invalid by the decision of the European Court of Justice (ECJ) of 16 June 2020, because the US law allows for a comprehensive access by public authorities to personal data and do not provide sufficient protection for the data transmitted or effective legal protection for data subjects.
Therefore, if the administrators wants to continue to transfer data to the USA, he must do so on the basis of the so-called Standard Contractual Clauses and, through appropriate guarantees and safeguards in the clauses, to ensure a comparable level of personal data protection guaranteed by GDPR in the EU. With respect to USA law, administrators and specific processors in the USA will need to find other appropriate security guarantees, such as storage of the data, including the metadata, only in the EU, the encryption without backdoors, etc., which will provide a comparable level of protection. If this is not possible, the export of data to the USA should not be carried out even using contractual clauses.
We therefore recommend to the all administrators who transfer personal data to the USA, to verify, in cooperation with the data importer, that they meet the new requirements for the export of data to the USA.
For more information please contact
Principal Associate | Prague
T: +420 255 706 554
M: +420 602 167 779
Senior Associate | Prague
T.: +420 255 706 561
M: +420 724 593 617