Michelle Watson Bunn
No Content Set
The Office of the Data Protection Authority in Guernsey (ODPA) has warned companies in the Bailiwick to be aware of the recent Court of Justice of the European Union (CJEU) judgment which affects all businesses who transfer personal data outside of the Bailiwick and the European Union (EU). In the CJEU judgment, ruled on 16 July 2020, the EU-US agreement for data transfers, which is known as the Privacy Shield, has been struck down. Consequently, Guernsey companies need to ensure they have proper safeguards around any data transfers they make that rely on the Privacy Shield. Affected companies will now have to sign EU Standard Contractual Clauses (SCCs), a set of terms and conditions organisations use to protect personal data transferred outside the European Economic Area (EEA). SCCs are already used by some companies, such as Microsoft, who have issued a statement saying that due to the use of SCCs they are unaffected by this judgment. However, as a result of this judgment, SCCs will be much more closely scrutinised.
The Privacy Shield is a data transfer mechanism, created four years ago between the EU and the United States of America (US), which thousands of companies had signed up to. This allowed companies to rely on the legal protection to authorise transatlantic transfers of EU users' data. However, the recent CJEU judgment, known as Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Case C-311/18, “Schrems II”), is a consequence of Maximillian Schrems, an Austrian activist and author, filing a complaint against Facebook Ireland Ltd with the Irish Data Protection Commissioner seeking to stop Facebook transferring personal data from Ireland to the US. Schrems’ complaint related to Facebook’s alleged involvement in the ‘PRISM’ surveillance programme and suggested that US national security laws did not adequately protect EU citizens.
In its news update of 24 July 2020, the ODPA emphasised that the CJEU’s judgment:
The Bailiwick is currently recognised by the European Commission as an adequate jurisdiction for the purposes of the General Data Protection Regulation (GDPR). This means that personal data can flow freely between the Bailiwick and the EEA. The ODPA has suggested that considering the immediate effect of Privacy Shield being invalid, any Guernsey companies that may be affected should do the following:
There are no easy or quick solutions to the complexities of this judgment, but it highlights how crucial it is for controllers to ensure that they review their processing and any contracts that they may have with processors. It reminds us that real compliance cannot be a tick box exercise, it must be part of a carefully considered and holistic governance framework which, done well, will protect both individuals and organisations.
Should you wish to discuss the effect of this judgment in Guernsey, please do not hesitate to get in touch with us.
Ogier is a professional services firm with the knowledge and expertise to handle the most demanding and complex transactions and provide expert, efficient and cost-effective services to all our clients. We regularly win awards for the quality of our client service, our work and our people.
This client briefing has been prepared for clients and professional associates of Ogier. The information and expressions of opinion which it contains are not intended to be a comprehensive study or to provide legal advice and should not be treated as a substitute for specific advice concerning individual situations.
Regulatory information can be found under Legal Notice
Sign up to receive updates and newsletters from us.Sign up
No Content Set