On July 16, 2020 the European Court of Justice (ECJ) delivered an important decision on data protection, ruling on the validity of standard contractual clauses. These clauses are widely used legal instruments for transferring personal data outside the EU. The ECJ held that such clauses are valid, but that data protection authorities in the EU can prohibit or suspend transfers under these clauses if the third country’s legal system does not provide a level of personal data protection essentially equivalent to that in the EU.

The ECJ ruling also addressed the validity of the so-called EU-US Privacy Shield framework, facilitating personal data transfers to the United States. The ECJ ruled that the possibilities to guarantee the data protection for EU citizens in the United States is not sufficient. The European judge apparently is in favor of a much stronger level of trans-Atlantic privacy protection.

As already outlined in previous newsletters, the GDPR affects the different jurisdictions in the Dutch Caribbean, such as Curaçao. Since the GDPR sets conditions for the transfer of personal data from the EU to countries outside the EU, it needs to be determined whether under Curaçao law there are “appropriate guarantees” or if there are “binding company regulations” in use. Incidental transfer of personal data is possible, however with the requirement of express consent of the parties involved. In addition, they must have been informed about the risks associated with the transfer.