The Atlantic is now an ocean for personal data to cross

In today’s Times I’ve outlined the impact of the ECJ’s Schrems II ruling on trans-Atlantic data flows. The ruling may be the beginning of the end for the free movement of personal data globally, as organisations both inside and outside the EU will struggle to meet the new legal requirements of protecting personal data once it leaves the bloc.

The immediate impact of the ruling will be significant for organisations on both sides of the Atlantic. Any personal data transfers made under the EU-US shield are no longer lawful. This will affect not only the nearly 5,400 US organisations that had been certified under the privacy shield, but also the many EU organisations that relied on the certifications for transferring data to the certified American organisations.

A deeper impact is likely to be felt by all organisations relying on the standard clauses to transfer personal data outside of the EU. The good news is that the clauses remain valid. However, in certain jurisdictions they will require the adoption of supplementary measures to meet the requirements of adequate protection and remain compliant with the general data protection rules.

With the shield invalidated, it is likely that organisations will consider using standard clauses for transfers to the US. However, as the clauses do not restrict what the US security and intelligence services can do with data under US law, they are not capable of protecting European individuals against such activities and will not provide adequate protection for GDPR compliance.

With options now limited to legitimise personal data transfers, especially to the US, how the EU data protection authorities react will be critical. Heavy-handed enforcement may drive EU organisations to shift all data to localised management, which could have a significant impact on the ability to provide goods and services in the digital environment, and a negative impact on the economy.

All organisations that transfer personal data out of the EU should start reviewing their data flows to see where data is going and what mechanism is being relied on for the transfer.

Mechanisms will need to prioritise a review of any data transferred under the privacy shield and any data transferred to the US under standard clauses. It may be that an alternative solution is required that could be one of the limited derogations set out in the GDPR, none of which is a perfect long-term solution.

In the short term, all that is certain is that, however uncommercial, to be assured of compliance with the GDPR, personal data should remain in the EU and not cross the Atlantic. Where data once flowed across oceans, it may now be reduced to a trickle.