Key takeaways from the case:
1. Privacy Shield can no longer be relied as a basis to transfer data to the US. Urgent replacement framework required again! US Governments approach is seen as disproportionate to its goals and that no sufficient redress for individuals to challenge the government actions exist.
2. SCC’s are still valid but no more “sign and forget” approach. A case by case analysis is required to see if they provide adequate protection.
3. Onus is put on businesses and regulators to assess and ensure transfers occur only where adequate standards exist in third countries.
4. BCR’s and derogations survive (explicit consent / performance of contracts), but can it be implied that the “case by case analysis” is required for those transfer exceptions also?
5. BREXIT – The UK has not been issued with an adequacy decision by the European Commission, careful analysis of its surveillance regimes in place will be required from 31 December 2020 and indeed other third countries before data transfers occur.
6. The Irish DPC welcome the decision.