Select a region
A recent judgment from the Court of Justice of the European Union has implications for any local business that transfers personal data outside of the Bailiwick or the EU.
The EU-US legal framework for data transfers known as ‘Privacy Shield’ has been invalidated with immediate effect.
This means that local organisations need to take steps to ensure they have proper safeguards around any data transfers that rely on either ‘Privacy Shield’ or EU ‘Standard Contractual Clauses’.
The now invalid Privacy Shield was a legal framework between the EU and the United States of America that allowed personal data from the EU to be transferred to the US.
‘Standard Contractual Clauses’ are a set of terms and conditions organisations use to protect personal data transferred outside the European Economic Area.
Pictured: A recent judgment from the Court of Justice of the European Union has implications for any local business that transfers personal data outside of the Bailiwick and the EU.
The background to this judgment goes back many years and involves Maximillian Schrems, an Austrian activist and author. In 2013, Schrems filed a complaint against Facebook Ireland Ltd with the Irish Data Protection Commissioner seeking to stop Facebook transferring personal data from Ireland to the US. Schrems’ complaint related to Facebook’s alleged involvement in the ‘PRISM’ surveillance programme.
A Spokesman for the ODPA said: "The Bailiwick is currently recognised by the European Commission as an adequate jurisdiction for the purposes of the General Data Protection Regulation (GDPR). This means that personal data can flow freely between the Bailiwick and the EEA.
"The ODPA is keen to provide clear and consistent advice and support to local organisations. This multi-layered and complex judgment requires analysis and guidance. The European Data Protection Board (EDPB) have published an early statement indicating that further guidance will be published in due course which will provide clarification and support consistency."
In the meantime, any local organisations that may be affected should do the following:
Identify if you have been relying on the EU-US Privacy Shield for data transfers. You will need to check the terms of service, contracts or Privacy Statements for all third parties you may use to process your data (e.g. Eventbrite, Facebook, Mail Chimp, LinkedIn, Twitter, Instagram, Basecamp, Slack etc.)
If you find that you have been relying on Privacy Shield you must work towards an alternative, referring to sections 56, 57 and 59 of The Data Protection (Bailiwick of Guernsey) Law, 2017 for details of data transfer requirements.
If you are relying on Standard Contractual Clauses or Binding Corporate Rules, you must comprehensively review them and ensure they accurately reflect detailed consideration of risks and safeguards.
The ODPA emphasises that the CJEU’s judgment serves several purposes, among those, it highlights the crucial role of privacy protections, emphasises that these protections must travel with data and that these types of data transfers cannot be a tick-box exercise.
Pictured: The Bailiwick of Guernsey's Data Protection Commissioner Emma Martins.
Comments
Comments on this story express the views of the commentator only, not Bailiwick Publishing. We are unable to guarantee the accuracy of any of those comments.