In its judgment C-311/18 the European Court of Justice (ECJ) invalidated the European Commission's decision regarding the Privacy Shield which allowed the transfer of personal data based on self-certification by recipients in the US. However, the Commission's decision on standard contractual clauses (SCCs) for the transfer of personal data to processors established in third countries still stands (at least in theory) also with regard to data transfer to the US. Nevertheless, even in these circumstances transfer is legitimate only when the guarantees of the SCCs (especially prevention of access by government agencies) are complied with. Whether this is the case needs to be assessed by the responsible operator/data exporter jointly with the recipient/data importer.
Given the ECJ's deliberations, scepticism is the order of the day: simple contractual obligations will not prevent access by state agencies acting on US laws just as little as the self-certification under the Privacy Shield did. The European Data Protection Commission Board has so far restricted itself to vague promises of additional measures to be taken in order to ensure a protection level in accordance with the EEC. Options would be comprehensive damages, strict encryption technologies or the prompt notification if a government authority threatens to access data, including a termination option. Still there is no certainty whether and which additional guarantees will ultimately be perceived to be adequate. Until the advent of a (harmonised) recommended procedure, new SCCs or a practicable alternative, data transfer to the US (whether direct or via processors) should therefore be avoided as much as possible on the grounds of security.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.