We provide the complete commercial debt recovery service; from outsourced early arrears collections through to expert litigation, all handled in-house by a multi-award-winning law firm.

 

Visit our debt recovery website
Search

We provide the complete commercial debt recovery service; from outsourced early arrears collections through to expert litigation, all handled in-house by a multi-award-winning law firm.

 

Visit our debt recovery website

Search

Insight

Privacy Shield

The General Data Protection Regulation (GDPR) makes it unlawful to transfer personal data outside of the EU unless certain conditions are met.

Until very recently, organisations could rely on the EU-US Privacy Shield as a valid data protection mechanism for the transfer of personal data from the EU to the US. However, in a recent case, the Court of Justice of the European Court overturned this on the basis that the US laws do not offer adequate protection for EU personal data.

What is the Privacy Shield?

The EU-US Privacy Shield framework was introduced in 2016 as a mechanism to provide those organisations who have chosen to comply with it, adequate protection for any personal data transferred from the EU to the US. It imposes stronger obligations on members to protect Europeans’ personal data than US law imposes alone. It also requires the US to monitor and robustly enforce more data protection principles and cooperate with European data protection authorities.

The Privacy Shield is commonly used by cloud-based providers to store large volumes of data in the US.

How does this impact you?

If your business transfers personal data to the US using the Privacy Shield as the method for protecting that data, or, a contractor you are working with relies on this mechanism when processing your data, then you must find an alternative transfer mechanism.

There is no enforcement grace period allowing organizations to continue transferring data from the EU to the US without assessing their legal basis for doing so.

What other options are there?

An alternative would be to use Standard Contractual Clauses (SCCs). These are a set of clauses that contain contractual obligations on both data exporters and importers in relation to the processing of personal data. SCCs are incorporated into contracts between parties and are the most commonly used mechanism for transfers of personal data outside of the EU.

The use of SCCs remains valid provided that your business verifies whether the overall context of the transfer (including the destination country) offers appropriate safeguards to the personal data. Where such appropriate safeguards cannot be provided, you must suspend or prohibit the transfer.

You may otherwise transfer personal data outside of the EU if the data subject gives you their explicit consent to do so. For consent to be deemed ‘explicit’ under the GDPR, it must be expressly confirmed in words, rather than by any other positive action, for example unticking a checked box.

Please note, the information included in this update is correct at the date of publishing.

Contact Us

Do you need assistance?

If you currently rely on the Privacy Shield as a transfer mechanism and require advice on reviewing your data flows and implementing an alternative, legally compliant, transfer mechanism, please call us on 01332 226 130 or complete the form below.

Related Services

Other areas of interest

Commercial contracts Data protection IT and e-commerce contracts

Knowledge

The latest from our experts

Insight

Legal obligations and practical steps after Expert Tooling v Engie

Learn about fiduciary duties, commission disclosure, and legal compliance after the Expert Tooling v Engie ruling.

 Read more

Insight

Supreme Court reaffirms strict fiduciary standards

Learn how Rukhadze v Recovery Partners reinforces strict fiduciary duties and what it means for your business and governance.

 Read more

Insight

Impact of new regulatory guidance on AI innovation and compliance in finance

The ICO and CMA's joint statement outlines new AI in finance regulations, focusing on data protection, competition, and consumer safeguards.

 Read more

Insight

How businesses can meet the UK’s new modern slavery transparency rules

A decade of progress – but the fight against modern slavery isn’t over, we highlight how businesses can meet stricter transparency rules.

 Read more

Insight

Supporting AI, innovation, and growth in financial services

Navigate AI regulations in financial services. Key insights from the FCA & ICO on compliance, data protection, and innovation.

 Read more

Insight

AI usage policy for businesses

Explore how to create an AI usage policy that mitigates risks and ensures responsible adoption for your business.

 Read more

Insight

Why data safety and optimisation drive business success

Effective data safety and optimisation are key to business success, reducing risks and improving efficiency in a digital world.

 Read more

Insight

Breaking ground: EU court awards damages for data transfer breach – What it means for businesses

Landmark EU court ruling awards damages for unlawful data transfer. Learn what this means for GDPR compliance and safeguarding your business.

 Read more

Insight

Data Protection Week: Essential data security tips for SMEs

Protect your SME from data breaches. Discover key tips for GDPR compliance and data security during Data Protection Week.

 Read more

Insight

Negotiating terms that boost profitability: A commercial contracts lawyer’s guide

Boost profitability with well-negotiated commercial contracts—learn essential terms to protect and grow your business.

 Read more

Insight

Understanding the Data (Use and Access) Bill: What businesses need to know

Discover the key changes introduced by the Data (Use and Access) Bill and how organisations must adapt to meet compliance requirements.

 Read more

Insight

Cookies without consent: Sky Betting and Gaming sanctioned

Sky Betting and Gaming was sanctioned for using advertising cookies without user consent, violating GDPR regulations.

 Read more

Scroll to next section

Scroll back to the top

Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

For more information on how these cookies work, please refer to our Cookies Policy.

Strictly necessary cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytics Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our website. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous.

Force24 cookies & tracking

This website utilises Force24’s marketing automation platform. Force24 cookies are first-party cookies and are enabled at the point of cookie acceptance on this website. The cookies are named below:

F24_autoID
F24_personID

They allow us to understand our audience engagement thus allowing better optimisation of marketing activity.