The EU-US privacy shield has gone. Now, what about your data transfers?

In July, the Court of Justice of the European Union (CJEU) invalidated the EU-US privacy shield, which allowed companies to sign up to higher privacy standards before transferring data to the US. This means that company data transfers based on the privacy shield are no longer compliant with the law. Does it matter if your company was not relying on the privacy shield for transferring the personal data of EU residents to US? Does it matter if your company is transferring personal data of EU residents to a third country? I aim to set the facts straight.

The EU’s General Data Protection Regulation (GDPR) requires that the personal data of EU residents be protected even when the data travels outside of the EU. To achieve this, companies were usually reliant on the EU-US privacy shield as the accepted protocol when transferring personal data to the US, in combination with other means such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).

Now, if you do not know about these terms, think of SCCs as a standard set of legal clauses that are inserted into a contract when data is transferred outside of the EU. BCRs are a company’s internal rules for processing that are formally validated by an EU authority and permit a company employing them to transfer data within its own entities outside of EU.

What did the court decide?

Based on a case filed by privacy activist Max Schrems, the CJEU decided that:

  • EU standards of data protection must travel with the data when it goes overseas. This is re-affirmation of the rules in the EU’s GDPR.
  • EU citizens do not enjoy the level of protection demanded by EU law when their data is transferred to the United States. This meant the invalidation of the EU-US privacy shield (also referred to as Safe Harbor agreement).

Whilst the Standard Contractual Clauses were not invalidated by the CJEU ruling and the Binding Corporate Rules still remain technically available, the court suggested that data exporters must conduct an upfront analysis to ascertain whether they can in fact legally use these tools to move data in their specific context. So, anyone using SCCs or BCRs for the transfer of EU residents’ data isn’t exempt from carrying out an assessment and needs to inform the relevant supervisory authority if they intend to keep using the mechanism despite assessment results delivering a negative outcome.

What does it mean?

This decision by the CJEU has implications in the longer term. SCCs will be revised and new data transfers need to ensure sufficient safeguards over and above SCCs and BCRs. Companies are expected to take the following actions:

  • Rewrite contracts or stop transfers if your company relied on the privacy shield as a means for the transfer of personal data to the US.
  • Conduct an assessment and evaluate safeguards if your company relied on SCCs or BCRs. Basis assessment, if the conclusion is negative, your company takes corrective action, suspends transfers, or informs the supervisory authorities if your company chooses no action despite a negative conclusion.

It may seem that this impacts only data transfers to the US. However, the fact that the court also said EU data protection rules shall travel with personal data means it can be applied across all your data transfers. Yes, this does imply that even when you are transferring personal data to a third country, it is recommended that an assessment is conducted and appropriate actions taken (similar to the situation of usage of SCCs or BCRs when transferring to US). Yes, this is significant and does create significant effort. And, let us be aware, it is in the interest of both the company exporting data and the company importing data. And this includes software vendors that maybe providing outsourcing services.


The fact is that companies will be expected to conduct a detailed examination of the circumstances surrounding each transfer, the adequacy of protection in the country to which the data will be transferred, and the parties processing the data. So, irrespective of where your company exports the personal data of EU residents, it is worthwhile to review and conduct an assessment to be certain that the safeguards mentioned in contractual terms are sufficient. It is likely that there some action will be necessary to make sure your company is protected against the risks.

Unlike many news and information platforms, Emerging Europe is free to read, and always will be. There is no paywall here. We are independent, not affiliated with nor representing any political party or business organisation. We want the very best for emerging Europe, nothing more, nothing less. Your support will help us continue to spread the word about this amazing region.

You can contribute here. Thank you.emerging europe support independent journalism

About the author

Punit Bhatia

Punit Bhatia

Punit Bhatia is one of the world's leading privacy experts who has worked with professionals in over 30 countries. Punit guides business and privacy leaders on GDPR-based privacy compliance through online as well as in-person training and consulting.

Add Comment

Click here to post a comment