In mid-July with so much of the news coverage focussed on various aspects of Covid-19 and also perhaps more importantly for some, pubs and restaurants were re-opening, an important landmark ruling took place in the European Court of Justice (ECJ). In a case brought by Max Schrems the court ruled that the EU-US Privacy Shield was no longer valid. The privacy shield allowed companies to sign up to higher privacy standards before transferring data to the US where it may be stored.

The (ECJ) agreed that the Privacy Shield did not protect EU and UK citizens from the monitoring and investigatory “snooping” of the US government and could no longer be used to justify moving and storing data in the US. Any company therefore who transfer EU and UK residents’ personal data to the US, you could now be doing so unlawfully. The transfer of such data is estimated to affect over 5,000 companies with an estimated to trade value of £5.6tn.

This leads to the obvious question of “Do you know where all your client’s data is stored?“

If it is in the US and the privacy shield has been used as justification for the location of the transfer and the storage of the data, then you will need to ensure that separate “standard contractual clauses” are signed and agreed. Large well know companies such as Microsoft already use them and is unaffected by this ruling.