Skip to main content

News story

July 29, 2020

Data transfers: EU/US Privacy Shield shattered

On 16 July 2020, the Court of Justice of the European Union (CJEU) struck down the European Union (EU)/United States (US) Privacy Shield, which served as the mechanism for which EU citizens’ personal data could be shared with the US. Instead, companies must now use standard contractual clauses (SCCs).

This will have far-reaching impacts on companies on both sides of the pond. Those who relied on the Privacy Shield to transfer personal data must find an alternative method or stop. This will be extremely problematic for companies that work across both jurisdictions, who must transfer personal data for their company to function.

What was the Privacy Shield?

Companies can transfer personal data to other countries where there is at least an equal measure of data protection as directed by EU law. Companies can legally transfer data when the EU has determined that a third country has adequate measures in place. Due to substandard data protection and privacy laws, the US has not passed this test. So, the EU and the US produced the Privacy Shield Framework. This framework carved out a legal path by which the personal data of EU citizens could be transferred between the EU and the US, so long as those US companies enrolled in the Privacy Shield Framework complied with the data protection obligations imposed upon them.

Why did the CJEU invalidate the Privacy Shield?

The CJEU determined that US National Security law does not sufficiently protect EU citizens’ personal data. US surveillance laws allow the government to access more personal data than is strictly necessary. In short, the US government can snoop to a degree that does not align well with EU law. Hence, the Privacy Shield Framework does not sufficiently protect the personal data transferred under it.

Standard Contractual Clauses – what are they?

SCCs are standard clauses published by the European Commission or by a member state Supervisory Authority. They offer sufficient safeguards on data protection to allow personal data to be transferred outside of the EU. Although the CJEU endorsed the use of SCCs, moving forward, it made clear that parties have an obligation to ensure that the laws in the recipient country are sufficient to protect EU personal data. If the guarantees of the SCCs are not upheld, then personal data transfers with that company must be suspended.

What should companies do now?

Companies that transfer personal data to the US must ensure they continue to do so lawfully. Where a company has previously relied on Privacy Shield certification, it must implement a new transfer mechanism as an SCC. Still, where required, it must consider additional supplemental contractual safeguards that go above the standard SCCs.

To avoid falling foul of the Information Commissioners Office (ICO), companies must assess whether their data privacy safeguards are sufficient and ensure those of any company outside of the EU with whom they have or intend to continue sharing EU citizens’ personal data affords an equivalent protection guaranteed within the EU under GDPR legislation.

This is a complicated area of cross-border data protection law. Companies should seek advice from a lawyer to ensure compliance with EU law.

Speak to Karen Cole today, who can review your existing contracts and practices to ensure your company complies.

Note: This is not legal advice; it provides information of general interest on a current legal issue.

Stay in touch

Subscribe to our newsletter

Stay in touch

By completing your details and submitting this form you confirm you are happy for us to send you marketing communications and that you agree to our Website Privacy Policy and Legal Notice and to us using Mailchimp to process your data.


Sending

News/Insight

  • Why is clear contract drafting important?
    How simple contract clauses can protect your business.


    Read more
  • Ensuring equality: A legal guide to responsibilities and compliance
    Understanding equal opportunities in the workplace


    Read more
  • Navigating the Economic Crime and Corporate Transparency Act 2023: What it means for your business
    The Economic Crime and Corporate Transparency Act 2023 (the Act) represents a significant shift in the UK's approach to combating economic crime, improving corporate transparency, and anti-mo


    Read more
  • Blowing kisses, not boundaries
    Tribunal clears air on workplace etiquette.


    Read more
  • Estate planning: How not to make mincemeat of it!
    The High Court has confirmed that a will handwritten on the back of two cardboard food packages is legally binding.


    Read more

What they say...

  • C Smith, March 2025
    “As executor of a will it was a relief for a solicitor to act on my behalf as though no disputes it was still a lengthy and complex process. It was dealt with mostly by Charlotte B. who kept me informed at all times. She explained the process c

  • Marc, March 2025
    “RIAA Barker Gillette were engaged to handle a real estate transaction with unusual circumstances. As a non-UK resident unfamiliar with English conveyancing procedures, I felt completely satisfied with the depth of the information and explanati

  • Leigh, March 2025
    “Instructed Martin on my first property purchase. He was a delight to work with, kept me informed and updated regularly. It was an incredibly smooth and quick process. Couldn’t be happier.”

  • Ms Brownell, March 2025
    “Patrick was amazing from start to finish. He made the process so easy, and explained each step in detail ahead of time so I’d understand what would happen and when. He was incredibly organized and noted every detail, calling out things t

  • Roman Cassini, February 2025
    “Peter Wright – highly recommended solicitor, helped us though a complicated flat sale with consummate professionalism.”

Read more
Send this to a friend