Latest News | News

EU-US Privacy Shield Deemed Invalid

Are your international data transfers GDPR compliant?

EU-US Privacy Shield Deemed Invalid

On 16th July 2020, the European Court of Justice (ECJ) gave its preliminary ruling in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Case C-311/18) (Schrems II). The court found that the adequacy of the protection provided by the EU-US Privacy Shield is invalid and, as a consequence, businesses can no longer rely on the EU-US Privacy Shield as means for compliance with the GDPR when transferring data between the EU and the USA.

Am I affected?

Any business transferring data between the EU and the USA that is currently relying on the EU-US Privacy Shield as a means of compliance with the GDPR will now likely be deemed to be in breach of the GDPR.

As such, it is vital that if your business is transferring data to the USA (even if the business is simply using servers based in the USA), that you review your privacy policies to ensure that you have a lawful basis to do so. If you are currently relying on the EU-US Privacy Shield as a basis for compliance then it is likely your policy will need to be amended to ensure compliance.

The European Data Protection Board (EDPB) have issued a number of FAQs by way of guidance following the decision of the ECJ and these can be found here:

Importantly, the EDPB has confirmed that there is no grace period following the ruling of the ECJ and so any required changes should be made immediately to ensure compliance with the GDPR.

What other options do I have?

Although the EU-US Privacy Shield has been deemed invalid, it is still possible to transfer data outside of the EU and maintain compliance with the GDPR provided other appropriate safeguards have been implemented. These may include:

  • Standard Contractual Clauses which have been prepared and entered into;
  • Binding Corporate Rules which are in place; or
  • Derogations for Specific Situations such as the explicit, specific and informed consent of the data subject which are in place.

It is likely that the above may require further documentation to be prepared and for your privacy policy to be amended so the position should be reviewed as soon as possible.

What are the consequences of non-compliance with the GDPR?

The transfer of personal data to a third party in a country outside of the EEA that does not afford an adequate level of data protection is a breach of the GDPR. This could mean that, if your business is not compliant, you may face administrative fines of up to 20million or up to 4% of the total worldwide annual turnover of the business in the preceding financial year (whichever is higher).

As such, compliance with the GDPR should be treated very seriously by any business.

If your business is currently relying on the EU-US Privacy Shield for compliance with the GDPR, or for further advice in relation to compliance with the GDPR generally, please contact Piers Larbey at or David Gee at who have a wealth of experience and would be happy to assist.