We provide the complete commercial debt recovery service; from outsourced early arrears collections through to expert litigation, all handled in-house by a multi-award-winning law firm.

 

Visit our debt recovery website

The General Data Protection Regulation (GDPR) makes it unlawful to transfer personal data outside of the EU unless certain conditions are met.

Until very recently, organisations could rely on the EU-US Privacy Shield as a valid data protection mechanism for the transfer of personal data from the EU to the US. However, in a recent case, the Court of Justice of the European Court overturned this on the basis that the US laws do not offer adequate protection for EU personal data.

What is the Privacy Shield?

The EU-US Privacy Shield framework was introduced in 2016 as a mechanism to provide those organisations who have chosen to comply with it, adequate protection for any personal data transferred from the EU to the US. It imposes stronger obligations on members to protect Europeans’ personal data than US law imposes alone. It also requires the US to monitor and robustly enforce more data protection principles and cooperate with European data protection authorities.

The Privacy Shield is commonly used by cloud-based providers to store large volumes of data in the US.

How does this impact you?

If your business transfers personal data to the US using the Privacy Shield as the method for protecting that data, or, a contractor you are working with relies on this mechanism when processing your data, then you must find an alternative transfer mechanism.

There is no enforcement grace period allowing organizations to continue transferring data from the EU to the US without assessing their legal basis for doing so.

What other options are there?

An alternative would be to use Standard Contractual Clauses (SCCs). These are a set of clauses that contain contractual obligations on both data exporters and importers in relation to the processing of personal data. SCCs are incorporated into contracts between parties and are the most commonly used mechanism for transfers of personal data outside of the EU.

The use of SCCs remains valid provided that your business verifies whether the overall context of the transfer (including the destination country) offers appropriate safeguards to the personal data. Where such appropriate safeguards cannot be provided, you must suspend or prohibit the transfer.

You may otherwise transfer personal data outside of the EU if the data subject gives you their explicit consent to do so. For consent to be deemed ‘explicit’ under the GDPR, it must be expressly confirmed in words, rather than by any other positive action, for example unticking a checked box.

Please note, the information included in this update is correct at the date of publishing.

If you currently rely on the Privacy Shield as a transfer mechanism and require advice on reviewing your data flows and implementing an alternative, legally compliant, transfer mechanism, please call us on 01332 226 130 or complete the form below.

Scroll to next section

Scroll back to the top

Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

For more information on how these cookies work, please refer to our Cookies Policy.

Strictly necessary cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytics Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our website. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous.

Force24 cookies & tracking

This website utilises Force24’s marketing automation platform. Force24 cookies are first-party cookies and are enabled at the point of cookie acceptance on this website. The cookies are named below:

F24_autoID
F24_personID

They allow us to understand our audience engagement thus allowing better optimisation of marketing activity.