Privacy Shield is Invalid: Are you at risk of illegal data transfer?


Companies acting both as data controllers and data processors must now take action in order to ensure the legality of data transfers from the EU to the US. Failing to do so could result in fines upto 4% of global turnover.

The article outlines why Privacy Shield is invalid and what you need to do to ensure you stay compliant.


What is Privacy Shield and why was it invalidated?

The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed to provide companies on both sides of the Atlantic with a mechanism to comply with Data Protection Laws when transferring personal data from the European Union and Switzerland to the United States. On 16 July 2020 The European Court has stated that the US Laws authorizing public authorities to access personal data transferred from the EU to the USA were not compatible with EU Privacy Laws. This means that Privacy Shield no longer constitutes a valid basis for the transfer of personal data to the United States.



What do you need to do?

The European Court invalidated the Privacy Shield with immediate effect. The impact of this decision is extensive, as it affects not only the day to day transfers of PII, but also the numerous agreements with non-EU based suppliers employed to provide services to those EU businesses. These companies must now carefully review the relationships with all suppliers to check if any of the suppliers relied upon Privacy Shield. There must now be in place a new mechanism which is likely to be ‘’Standard Contractual Clauses’’ (SCC). These are now the most effective and readily available data transfer mechanism to ensure that data can continue to be transferred to countries outside the EU lawfully. This means that the scrutiny of the SCC will be high. The responsibility is on the organization transferring the data from the EU to conduct effective due diligence. This may well be apparent to many organizations as the UK leaves the EU.

What are the consequences of non-compliance?

If companies fail to review their data transfer inline with SCC and Privacy Policy and are found to be illegally processing data to the US then they could face fines in line with the GDPR guidelines, which could be upto 4% of global turnover. However the international Trade Administration have advised that ‘’companies must still abide by the EU-US & Swiss-US Privacy shield programme’’. Companies will still be accountable, companies must still apply and renew their applications.

What can CQR do to help?

CQR’s Information Security Specialists have extensive experience in Privacy Regulations. After reviewing the guidance issued by both the CJEU and Privacy Shield, we have identified the actions required to comply with Data Protection Act 2018 & GDPR.
If your organization previously relied on your US suppliers’ participation in Privacy Shield to utilize their services, we can assist you with reviewing all data processing activities and determine if there is any impact from the Privacy Shield ruling. Within this review, we can assist, to ensure all data transfers are lawful and compliant.

If the above information raises any concerns within your organization or you would like to discuss any of the issues with someone from CQR please get in touch.

We use cookies on this site to provide you with a better user experience. Read More