We provide the complete commercial debt recovery service; from outsourced early arrears collections through to expert litigation, all handled in-house by a multi-award winning law firm.

Visit our debt recovery website

We provide the complete commercial debt recovery service; from outsourced early arrears collections through to expert litigation, all handled in-house by a multi-award winning law firm.

Visit our debt recovery website

Search

Insight

Privacy Shield

The General Data Protection Regulation (GDPR) makes it unlawful to transfer personal data outside of the EU unless certain conditions are met.

Until very recently, organisations could rely on the EU-US Privacy Shield as a valid data protection mechanism for the transfer of personal data from the EU to the US. However, in a recent case, the Court of Justice of the European Court overturned this on the basis that the US laws do not offer adequate protection for EU personal data.

What is the Privacy Shield?

The EU-US Privacy Shield framework was introduced in 2016 as a mechanism to provide those organisations who have chosen to comply with it, adequate protection for any personal data transferred from the EU to the US. It imposes stronger obligations on members to protect Europeans’ personal data than US law imposes alone. It also requires the US to monitor and robustly enforce more data protection principles and cooperate with European data protection authorities.

The Privacy Shield is commonly used by cloud-based providers to store large volumes of data in the US.

How does this impact you?

If your business transfers personal data to the US using the Privacy Shield as the method for protecting that data, or, a contractor you are working with relies on this mechanism when processing your data, then you must find an alternative transfer mechanism.

There is no enforcement grace period allowing organizations to continue transferring data from the EU to the US without assessing their legal basis for doing so.

What other options are there?

An alternative would be to use Standard Contractual Clauses (SCCs). These are a set of clauses that contain contractual obligations on both data exporters and importers in relation to the processing of personal data. SCCs are incorporated into contracts between parties and are the most commonly used mechanism for transfers of personal data outside of the EU.

The use of SCCs remains valid provided that your business verifies whether the overall context of the transfer (including the destination country) offers appropriate safeguards to the personal data. Where such appropriate safeguards cannot be provided, you must suspend or prohibit the transfer.

You may otherwise transfer personal data outside of the EU if the data subject gives you their explicit consent to do so. For consent to be deemed ‘explicit’ under the GDPR, it must be expressly confirmed in words, rather than by any other positive action, for example unticking a checked box.

 

Contact Us

Do you need assistance?

If you currently rely on the Privacy Shield as a transfer mechanism and require advice on reviewing your data flows and implementing an alternative, legally compliant, transfer mechanism, please call 01332 226 130 or complete the form below.

Related Services

Other areas of interest

Commercial contracts Data protection Fixed-cost contract review IT and e-commerce contracts

Knowledge

The latest from our experts

Insight

Renewing a contract: what to consider

The important considerations that need to be made when renewing a contract.

 Read more

Insight

Remote working and data protection: what to consider

Our Commercial team provides guidance on what measures employers can take to ensure the security of personal data.

 Read more

Insight

Contact tracing: complying with the data protection laws

Guidance for employers who intend to collect customer and visitor information as part of the Government's contact tracing scheme and data protection compliance.

 Read more

Insight

Do I need a data protection officer (DPO)?

In this insight article, our Commercial team takes a look at the regulations about who needs to appoint a data protection officer and what the role involves.

 Read more

Insight

Cancellation and breaches of contracts due to coronavirus

Where do contracting parties stand with force majeure clauses and how to mitigate potential negative implications of cancellation and breaches of contracts.

 Read more

Resource

Insight

Who can access a child’s personal data?

We explore the circumstances where parents or guardians can make subject access requests on behalf of their children.

 Read more

Resource

Heads of terms template and guidance

Insight

What are the data protection implications for your organisation post-Brexit?

This article outlines the data protection implications that could arise for your organisation from the UK’s exit from the EU on 31 January 2020.

 Read more

Insight

Why memorandums of understanding (MoUs) make practical sense for sealing the deal

In this article, we set out the reasons why memorandums of understanding (MoUs) are an important stepping stone in formalising contractual terms.

 Read more

Insight

Equipment hire agreements: small print with a big bite

An equipment hire agreement is a contract where one party rents equipment from the other.

 Read more

Insight

Non-disclosure agreement: what should be included?

This article will help you to understand what you should consider when reviewing a non-disclosure agreement.

 Read more
Subscribe

Share

Scroll to next section

Scroll back to the top

We use cookies, in line with our cookie policy, to improve your browsing experience and require your consent to set them. If no selection is made, we will assume your consent to the use of cookies.

Consent Manage Settings