|
|
|
|
|
|
by cnorthwood
1597 days ago
|
|
|
Point 1 isn't true. You've been able to send personal data (PII being the specific US legal term) to the US no problem - as long as you had "standard contractual clauses" (SCCs) as part of your contract with them that the company meets GDPR requirements. This is the same agreement to send data to any country outside the EU where there isn't a pre-existing agreement. I believe this ruling is saying that it's not possible for a US company to comply with the SCCs because US law doesn't allow them to do so. |
|
|
The ruling on Schrems II (the court case that struck down Privacy Shield) did not state that SCCs on their own would be sufficient. It said that SCCs + "additional safeguards" would be allowable. There have been several rulings already that SCCs on their own are not sufficient.
The "additional safeguards" must include a risk analysis of US access to EU residents' data. Every court case I've seen from Schrems II onward identifies the US CLOUD Act as the privacy risk to address. CNIL is basically ruling that you cannot transfer data to a US company subject to the CLOUD Act, and an SCC cannot deal with that. This still leaves open the possibility of using US services that are not subject to the CLOUD Act. This is consistent with all rulings to date.