What recommendations would you suggest for a small/medium-sized business in light of the recent decision by the ECJ regarding the EU-US Privacy Shield?
The recent decision of the European Court of Justice (ECJ) has a huge impact on data transfer between the US and the EU. You cannot transfer data based on the decision of adequacy of the US Privacy Shield. Therefore, you need to find another legal ground for data transfer. Standard Contractual Clauses can be a solution.
The main issue is that the US data controllers are forced to comply with US law which prevails over Standard Contractual Clause and Binding Corporate Rules (which is a solution for large companies and in some case medium-sized companies).
The EDPB concluded stating that the data controller should consider storing or processing data elsewhere than the US.
You can find more information about data transfer here: