EU-US Privacy Shield ruled invalid. What does this mean for you?

A lot of people reading this blog post probably have never heard or are aware of the now defunct EU-US Privacy Shield. If you were aware of it, you may or may not have heard about the news that broke last year in 2020 and which we are going to discuss in this blog article.

If you are not aware of the EU-US privacy Shield, this in its most basic description, is an agreement between the United States and the European Union. Businesses within the US would have to sign up to the Privacy Shield agreement to become part of it. This allows the transfer of data (usually personal information) between countries and ensuring that appropriate data is sufficiently protected.

However, in late 2020, the court of Justice of the European Union rules that the EU-US Privacy Shield will be no longer valid due to the way that US authorises could potentially process and intercept data transfers for the purposes of public security, defense, and state security (which included the US surveillance programmes).

Because of the potential of processing by the US government, it was found that the levels of protection for data being transferred (as assured against the GDPR and the EU Charter of Fundamental Rights) could not be guaranteed when being transferred to/from the US.

This meant that the EU had to invalidate the EU-US Privacy Shield, which means that any companies which were relying upon this as a lawful basis for data processing can no longer do so.

So, what can companies do now, now that the EU-US Privacy Shield is no longer valid, how can companies transfer data and ensure that processing is legally performed? Well, even now in 2021 a lot of it is still up in the air, but the consensus is that you can continue to use Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs), however t is strongly recommended that you verify that the processing, storing, and controlling of data is still inline with GDPR requirements that that the data, when transferred is sufficiently protected.

Businesses are now expected, however, to check with their suppliers, partners and any other companies which process or control any type of data between the US and the EU. Its fair enough you ensuring everything is covered, but if you do your best then offload the data to a third-party which doesn’t have any sufficient controls in place you are going to be in some trouble.  Now is a good time to audit your suppliers for the security of information.

When it comes to Amazon AWS, Microsoft Azure, these businesses have stated that the processing and transferring of data will be covered under Standard Contractual Clauses.

As of writing this, further details and the ruling impact of businesses can be found in the European Data Protection Board’s FAQs here –