Following the European Court of Justice’s decision to strike down the EU-US Privacy Shield mechanism for data transfer,[1] the Swiss Federal Data Protection and Information Commissioner reviewed the decision and came to the same conclusion.[2] Data transfers between the European Union and the United States are now in regulatory limbo as the EU side has deemed the U.S. data protection framework inadequate—primarily due to surveillance concerns—while the U.S. still acknowledges Privacy Shield. No new mechanism has yet come forward besides standard contractual clauses.
The European Court of Justice ruled that standard contractual clauses, the mechanism many companies operating in Europe use to transfer data to the U.S. and other countries, were valid but required significant due diligence before they could be deemed compliant with GDPR standards.
Companies that transfer data between the EU and third countries, including the United States, should vet any partners that use Privacy Shield or similar mechanisms and seek out assistance in establishing new, secure channels for data transfers that meet GDPR standards.