Rob Masson, CEO at The DPO Centre, comments on the implications of the EU and US personal dataInformation which relates to an identified or identifiable natural person.data sharing agreementA written agreement between data controllers which defines the purpose and lawfulness of data sharing, whilst establishing the roles and standards of the processing of such data (i.e. imposing requirements around security, re-use and further sharing). that has just been reached.
“Privacy ShieldCertification scheme, currently operational with the US, which places requirements on companies to protect personal data and provide appropriate redress for individuals., an agreement allowing firms to share personal data between Europe and the U.S. without implementing additional safeguardsWhen transferring personal data to a third country, organisations must put in place appropriate safeguards to ensure the protection of the personal data. They should ensure that data subjects' rights will be respected and that the data subject has access to redress if they are not, and that the GDPR principles will be adhered to whilst the personal data is..., was invalidated in July 2020 after the momentous Schrems II decision. This left thousands of organisations in a precarious position on personal data and privacy issues over the past 18 months.
“Organisations transferring personal data to the U.S. will however be breathing a tentative sigh of relief that an agreement in principle has been found for replacing the Privacy Shield. A word of caution however is that at this stage, this is only a political agreement, not a legal one, so given there has been no announcement from the US regarding amending its surveillance laws (the core reason why Privacy Shield was invalidated), we may simply be heading for a Schrems III challenge very soon.”