Privacy Shield no longer valid and questions remain about US data transfers

Schrems II Privacy Shield SCC in doubt

Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email


  • 21/07/2020 – ICO have added the following statement to the “International Transfers” section of their GDPR guidance: “If you are currently using Privacy Shield please continue to do so until new guidance becomes available. Please do not start to use Privacy Shield during this period.”

Yesterday, the EU courts declared the EU-US Privacy Shield invalid meaning that it can no longer be used for EU-US data flows. The reason for this decision is that US national security law usurps the privacy shield protections, meaning that the US government can force US businesses to hand over data which could include EU citizen data.

The Privacy Shield is an agreement between the EU and US for safe processing of EU data in the US for US businesses that sign up – it’s a self certification scheme relied on by 10s of thousands of US businesses to provide assurances to EU data controllers.

If you are using third-party cloud based services then there’s a chance (a) they’re hosted in the US and (b) the US provide is relying on Privacy Shield to provide assurances to you and your data subjects that it’s safe to process your data with the provider.

An alternative to the Privacy Shield are the Standard Contract Clauses (SCC) – non negotiable contract terms dictated by the EU and binding the non-EEA receiver of data to EU data protection standards. However, the terms of use of the SCC allow for them to be withdrawn if it is believed that the receiver is unable to be bound by the terms, which given the reason Privacy Shield is invalid is because of national security access to EU citizen data, it is difficult to see how the EU-US data transfer via SCCs will be valid.

So, this means that Privacy Shield can no longer be used and if SCCs are used instead for certain US businesses then they two will be invalid – in fact it will fall to the EEA based controller to determine whether it is appropriate and for the ICO and EU equivalents to determine whether SCC are valid for those businesses in the US.

But, don’t panic. It’s not clear yet what the solution will be. The ICO have acknowledged the case and are considering the implications (which could also impact our post-Brexit transition approach for dealing with UK-US data transfers), the EU are suggesting they will be updating the SCC and there will be some kind of determination about the validity of the use of SCC in the US as well.

In the meantime, we’re like to find US cloud providers and processors to offer their services running off EU based servers which is most likely to be one of the most effective way round the Privacy Shield and SCC restrictions, but this will require investment from the processors.

Worst case scenario: we’re no longer able to process our data in the US – but we’re a long way off that being a certainty

If you want to understand more about this issue and the implications for your business, then we can of course work with you on preparing plus we are running a FREE webinar on the 28th July to go through what this all means.

No need to worry about your GDPR compliance. We've got it covered

CHOOse the support option for you

Subscribe To Our Article 13 GDPR Newsletter

Get our monthly briefing on all things GDPR

More To Explore

Advice & guidance tailored to your business

Mark gracey GDPR Helpline

We'll help you protect your business and your customers