Privacy Shield no longer valid and questions remain about US data transfers

Schrems II Privacy Shield SCC in doubt

Share This Post


  • 21/07/2020 – ICO have added the following statement to the “International Transfers” section of their GDPR guidance: “If you are currently using Privacy Shield please continue to do so until new guidance becomes available. Please do not start to use Privacy Shield during this period.”

Yesterday, the EU courts declared the EU-US Privacy Shield invalid meaning that it can no longer be used for EU-US data flows. The reason for this decision is that US national security law usurps the privacy shield protections, meaning that the US government can force US businesses to hand over data which could include EU citizen data.

The Privacy Shield is an agreement between the EU and US for safe processing of EU data in the US for US businesses that sign up – it’s a self certification scheme relied on by 10s of thousands of US businesses to provide assurances to EU data controllers.

If you are using third-party cloud based services then there’s a chance (a) they’re hosted in the US and (b) the US provide is relying on Privacy Shield to provide assurances to you and your data subjects that it’s safe to process your data with the provider.

An alternative to the Privacy Shield are the Standard Contract Clauses (SCC) – non negotiable contract terms dictated by the EU and binding the non-EEA receiver of data to EU data protection standards. However, the terms of use of the SCC allow for them to be withdrawn if it is believed that the receiver is unable to be bound by the terms, which given the reason Privacy Shield is invalid is because of national security access to EU citizen data, it is difficult to see how the EU-US data transfer via SCCs will be valid.

So, this means that Privacy Shield can no longer be used and if SCCs are used instead for certain US businesses then they two will be invalid – in fact it will fall to the EEA based controller to determine whether it is appropriate and for the ICO and EU equivalents to determine whether SCC are valid for those businesses in the US.

But, don’t panic. It’s not clear yet what the solution will be. The ICO have acknowledged the case and are considering the implications (which could also impact our post-Brexit transition approach for dealing with UK-US data transfers), the EU are suggesting they will be updating the SCC and there will be some kind of determination about the validity of the use of SCC in the US as well.

In the meantime, we’re like to find US cloud providers and processors to offer their services running off EU based servers which is most likely to be one of the most effective way round the Privacy Shield and SCC restrictions, but this will require investment from the processors.

Worst case scenario: we’re no longer able to process our data in the US – but we’re a long way off that being a certainty

If you want to understand more about this issue and the implications for your business, then we can of course work with you on preparing plus we are running a FREE webinar on the 28th July to go through what this all means.

More To Explore


The key message from the ICO regarding the use of AI is not to forget if AI is processing personal data, then you need to

Read More »

Eat. Sleep. GDPR. Repeat.

We live and breathe GDPR and ePrivacy compliance, so you don’t have too. Our GDPR UNLIMITED helpline is all about offering you help and support, whenever you need it most. As well as the unlimited helpline, you get up to 4 hours “hands-on” help each month, which we can configure to help you in anyway you need such as a GDPR review, or acting as your DPO.

As well as the unlimited helpline and hands-on help you get GDPR and privacy updates, access to our GDPR knowledge centre and webinars.

Unlimited email & phone support

Unlimited email and phone support. Email or organise a voice call as often as you need each month.​

Up to 4 hours "hands-on" help per month

We use these "hands-on" hours to do the GDPR work for you, such as reviews, acting as your DPO, checking DPIA, dealing with breaches, training your staff, etc. (Additional hours: £100+VAT per hour)

Online resources

Our Knowledge Centre gives you access to information, guidance, topic related guides and other tools to support your GDPR and PECR compliance

Updates, alerts & briefings

We provide updates and alerts and a monthly compliance briefing. You can either sign into the Knowledge Centre or sign up via email to receive an email every time we add a new update or alert

DPO services

Whether mandated or not we can act as your Data Protection Officer (DPO) and manage your day to day compliance

Webinars, workshops & training

Whether updates on the latest issue, workshops or team training, it's all included in your monthly retainer.

LIKE WHAT YOU'RE READING? join our email list

Sign up for monthly briefings and the occasional emails about our webinars and services

Want to know more about how we use your data? Check out our privacy policy