On July 16, 2020, the Court of Justice of the European Union issued a judgment declaring as “invalid” the European Commission’s Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-U.S. Privacy Shield. As a result of that decision, the EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. This decision does not relieve participants in the EU-U.S. Privacy Shield of their obligations under the EU-U.S. Privacy Shield Framework. (The U.S. Department of Commerce will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List.)
As per previous practice, it is anticipated that the EU authorities will provide for a grace period to give businesses time to react and adapt to this new regulatory regime. US-based companies with data subjects in Europe will now need to implement a substitute legal mechanism, such as standard contractual clauses or binding corporate rules, and are advised to seek the advice of competent data privacy counsel in this regard.
As an alternative, the Ably solution allows US-based companies (indeed, any company, whether based in the US, EU or elsewhere) to constrain Ably's management and distribution of their messages to within the confines of the EU, obviating the need for transatlantic data transfers. If you'd like to know more about this or adjust your account setup to impose this restriction, please contact Ably.