by Heidi Beate Bentzen, University of Oslo, and Hakon Heimer, University of Copenhagen
24 August 2020
The Court of Justice of the European Union recently struck down the Privacy Shield framework that underpinned some data transfers between the EU and US companies, including cloud providers, citing legislation in the US that allows for government surveillance. This may affect research where personal data is transferred to the US or where researchers in the US are given remote access to databases in the European Economic Area (EEA, which includes the EU plus Iceland, Liechtenstein and Norway).
If this is the case for your project, you may want to consult with your institution's legal expertise to ensure that you have a valid data transfer mechanism in place, as required by GDPR Chapter V. Note that the judgment also increased the threshold for using the EU's Standard Contractual Clauses.
For more details, read the so-called "Schrems II" judgment (named for the plaintiff, Austrian lawyer and privacy activist Max Schrems). The European Data Protection Board has issued a useful FAQ relating to the judgment.
The US and EU have issued a joint press statement, which has drawn reactions from a group led by Schrems ("101 Complaints on EU-US transfers filed" and "Next Steps for EU companies & FAQs") and the International Association of Privacy Professionals ("EU, US initiate talks on potential 'enhanced' Privacy Shield").
Further reading:
EU-US Privacy Shield is dead. Long live Privacy Shield.
E.U. Court Strikes Down Trans-Atlantic Data Transfer Pact