Important decision from European Court of Justice on transfer of personal data to the United States

On 16 July 2020, the Court of Justice of the European Union ruled on the mechanisms for data transfers between EU and the US. Please see the full press release here:

The court has confirmed that the Standard Contractual Clauses (the "SCCs") issued by the European Commission for the transfer of personal data to data processors established outside of the EU is a valid transfer mechanism under the GDPR.

OCLC and its related entities use SCCs as its main mechanism for data transfers outside the EU. This way OCLC guarantees an equal and legally sufficient level of protection of personal data in all countries where OCLC provides services.

We at OCLC take security of library and user data very seriously. This court ruling is a welcome confirmation of our approach to compliance as it confirms the validity of OCLC's chosen mechanism for data transfers.

The OCLC Standard Contractual Clauses are a part of the OCLC Data Processing Agreement and are available here:

The European Court of Justice also concluded that the EU–US Privacy Shield framework is NOT a valid mechanism for data transfers, as it provides insufficient safeguards to protect the personal data of EU citizens in the US, and is therefore not allowed under GDPR.

Please note OCLC does not base the transfer of personal data to the US on EU-US Privacy Shield.

If you would like to know more about how OCLC processes personal data, please see our page on Security, Privacy, and Compliance.