Privacy Shield

The General Data Protection Regulation (GDPR) makes it unlawful to transfer personal data outside of the EU unless certain conditions are met.

Until very recently, organisations could rely on the EU-US Privacy Shield as a valid data protection mechanism for the transfer of personal data from the EU to the US. However, in a recent case, the Court of Justice of the European Court overturned this on the basis that the US laws do not offer adequate protection for EU personal data.

What is the Privacy Shield?

The EU-US Privacy Shield framework was introduced in 2016 as a mechanism to provide those organisations who have chosen to comply with it, adequate protection for any personal data transferred from the EU to the US. It imposes stronger obligations on members to protect Europeans’ personal data than US law imposes alone. It also requires the US to monitor and robustly enforce more data protection principles and cooperate with European data protection authorities.

The Privacy Shield is commonly used by cloud-based providers to store large volumes of data in the US.

How does this impact you?

If your business transfers personal data to the US using the Privacy Shield as the method for protecting that data, or, a contractor you are working with relies on this mechanism when processing your data, then you must find an alternative transfer mechanism.

There is no enforcement grace period allowing organizations to continue transferring data from the EU to the US without assessing their legal basis for doing so.

What other options are there?

An alternative would be to use Standard Contractual Clauses (SCCs). These are a set of clauses that contain contractual obligations on both data exporters and importers in relation to the processing of personal data. SCCs are incorporated into contracts between parties and are the most commonly used mechanism for transfers of personal data outside of the EU.

The use of SCCs remains valid provided that your business verifies whether the overall context of the transfer (including the destination country) offers appropriate safeguards to the personal data. Where such appropriate safeguards cannot be provided, you must suspend or prohibit the transfer.

You may otherwise transfer personal data outside of the EU if the data subject gives you their explicit consent to do so. For consent to be deemed ‘explicit’ under the GDPR, it must be expressly confirmed in words, rather than by any other positive action, for example unticking a checked box.

Please note, the information included in this update is correct at the date of publishing.