We provide the complete commercial debt recovery service; from outsourced early arrears collections through to expert litigation, all handled in-house by a multi-award-winning law firm.

 

Visit our debt recovery website
Search

We provide the complete commercial debt recovery service; from outsourced early arrears collections through to expert litigation, all handled in-house by a multi-award-winning law firm.

 

Visit our debt recovery website

Search

Insight

Privacy Shield

The General Data Protection Regulation (GDPR) makes it unlawful to transfer personal data outside of the EU unless certain conditions are met.

Until very recently, organisations could rely on the EU-US Privacy Shield as a valid data protection mechanism for the transfer of personal data from the EU to the US. However, in a recent case, the Court of Justice of the European Court overturned this on the basis that the US laws do not offer adequate protection for EU personal data.

What is the Privacy Shield?

The EU-US Privacy Shield framework was introduced in 2016 as a mechanism to provide those organisations who have chosen to comply with it, adequate protection for any personal data transferred from the EU to the US. It imposes stronger obligations on members to protect Europeans’ personal data than US law imposes alone. It also requires the US to monitor and robustly enforce more data protection principles and cooperate with European data protection authorities.

The Privacy Shield is commonly used by cloud-based providers to store large volumes of data in the US.

How does this impact you?

If your business transfers personal data to the US using the Privacy Shield as the method for protecting that data, or, a contractor you are working with relies on this mechanism when processing your data, then you must find an alternative transfer mechanism.

There is no enforcement grace period allowing organizations to continue transferring data from the EU to the US without assessing their legal basis for doing so.

What other options are there?

An alternative would be to use Standard Contractual Clauses (SCCs). These are a set of clauses that contain contractual obligations on both data exporters and importers in relation to the processing of personal data. SCCs are incorporated into contracts between parties and are the most commonly used mechanism for transfers of personal data outside of the EU.

The use of SCCs remains valid provided that your business verifies whether the overall context of the transfer (including the destination country) offers appropriate safeguards to the personal data. Where such appropriate safeguards cannot be provided, you must suspend or prohibit the transfer.

You may otherwise transfer personal data outside of the EU if the data subject gives you their explicit consent to do so. For consent to be deemed ‘explicit’ under the GDPR, it must be expressly confirmed in words, rather than by any other positive action, for example unticking a checked box.

Please note, the information included in this update is correct at the date of publishing.

Contact Us

Do you need assistance?

If you currently rely on the Privacy Shield as a transfer mechanism and require advice on reviewing your data flows and implementing an alternative, legally compliant, transfer mechanism, please call us on 01332 226 130 or complete the form below.

Related Services

Other areas of interest

Commercial contracts Data protection IT and e-commerce contracts

Knowledge

The latest from our experts

Insight

ICO consults on accuracy principle for generative AI models

ICO issues consultation on how the data protection principle of accuracy applies to generative AI models

 Read more

Insight

Strengthening your business against increasing insolvencies: contractual safeguards and practical approaches

Safeguards your business can take when you are dealing with potentially insolvent customers or suppliers through strategic contracting drafting.

 Read more

Insight

FCA issues compliance reminder for Buy Now Pay Later platforms

Buy Now Pay Later: FCA issues reminder to firms to comply with consumer protection legislation

 Read more

Insight

UPDATE: The UK-US Data Bridge is now in force

The UK-US Data Bridge (Data Bridge) is now in force, but what does this mean for your business?

 Read more

Insight

Commercial contracts as a powerful marketing tool

On top of your traditional marketing output, commercial contracts are a hidden gem that can help boost your business's marketing efforts.

 Read more

Insight

EU & US reach decision on data adequacy

The European Union and United States have recently reached a decision regarding data adequacy.

 Read more

Insight

Is your cookie banner breaking the law?

Stark warning to companies that fail to have a ‘reject all’ button on their cookie banners.

 Read more

Insight

Meta given €1.2b fine for breach of the GDPR

The critical consequences of non-compliance with data transfer regulations between Europe and the US.

 Read more

Insight

Consumer subscription contracts: what you need to know under the new regime

Our Commercial team discusses the impact the changes may have on businesses in the UK.

 Read more

Insight

UPDATE: The UK & US commit to the free flow of personal data between the two countries

Building a ‘data bridge’ between the UK and US to facilitate the free flow of personal data.

 Read more

Insight

The Information Commissioner’s Office issues £12.7m fine for misusing children’s data

The ICO has issued the social media platform TikTok with a £12.7m fine for breaching the UK GDPR, including failing to process children’s data lawfully.

Read more

Insight

Late payment interest: what does the ‘Prompt Payment & Cashflow Review’ mean for late payments?

Our Commercial team look at what the Government's review of the current practices and measures in place concerning late payment issues may mean for businesses.

 Read more
SHARE

Share

Scroll to next section

Scroll back to the top