Companies seeking to transfer data to the United States must revert to new arrangements with immediate effect after the Privacy Shield transatlantic pact was declared invalid last week, a European Union watchdog said on Friday.
The privacy watchdog said the lack of a grace period in the court ruling meant companies must use alternatives that carry greater risk and may be better advised to store and administer their data outside the United States.
Europe’s highest court last week cited concerns about U.S. surveillance for its ruling, disrupting thousands of companies that had depended on the four-year-old Privacy Shield to transfer Europeans’ personal data for payroll, finance and other uses.
The European Data Protection Board (EDPB) said that companies that transfer data to the United States via standard contractual clauses would have to self-assess whether these have suitable safeguards and inform their national privacy enforcer.
Companies using a third tool known as binding corporate rules would have to do the same after the Luxembourg-based EU Court of Justice (CJEU) said that U.S. laws will also have primacy over this tool, the EDPB said.
It said other mechanisms and exemptions allowed under the bloc’s landmark privacy rules known as the General Data Protection Regulation (GDPR) require a strong level of protection for individuals’ data.
The EDPB, together with the European Commission, is now looking into ways to beef up standard contractual clauses and binding corporate rules that could be legal, technical or organisational.
The CJEU judgment followed a long-running dispute between Facebook and Austrian privacy activist Max Schrems, who has campaigned about the risk of U.S. intelligence agencies accessing data on Europeans.