Privacy Shield being invalidated

Since the European Court of Justice “invalidated” the Privacy Shield, data cannot be transferred on the ground of the previous adequacy decision made by the EU Commission. This means that now data transfers must have another legal ground like the Standard Contractual Clauses (SCC) or the Binding Corporate Rules (BCR).

The European Data Protection Board (EDPB) issued a FAQ on the implication on GDPR compliance of the ECJ solution and stated that the data controller must take additional measure to ensure the same level of protection of personal data assured by GDPR: https://edpb.europa.eu/news/news/2020/european-data-protection-board-publishes-faq-document-cjeu-judgment-c-31118-schrems_en

The main issue is that the US data controllers are forced to comply with US law which prevails over Standard Contractual Clause. The EDPB concluded stating that the data controller should consider storing or processing data elsewhere than the US.

You can process personal data outside of the U.S. if you use cloud providers which have servers in the European Union - all the major providers like Amazon AWS, Google Cloud, Microsoft Azure, and others have that option. 

You can find more information about data transfer here:3 steps for data transfers according to GDPR: https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/

You can consider enrolling in our free EU GDPR Foundations CourseEU GDPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course//