Garante per la Protezione dei Dati Personali

Decision on Data Transfers to the USA: the “Safe Harbor” Authorisation is Invalid

On 22 October 2015, the Italian Data Protection Authority (GDPD) issued a provision following the recent judgment of the Court of Justice of the European Union in the case Schrems v. Facebook, which declared invalid the system set up under the Safe Harbour.

As a direct consequence, the GDPD has explicitly forbidden any data transfer between both countries. Thus, it might carry out inspections on the transfer at any time and, if necessary, to adopt effective measures provided under the Italian Data Protection Code. Besides, the implementation of other alternatives is encouraged in order to ensure compliance with the Italian regulations on the protection of personal data.

Finally, GDPD suggested some instruments to lawfully transfer the data of Italian citizens, i.e. Standard Contractual Clauses (SCC), Binding Corporate Rules (BCC) or the consent of data subjects.