- BLOG -


501 Boylston Street, 10th Floor

Boston, MA 02116




The Privacy Shield is Dead: Now What?

Posted by Stephan Grynwajc on July 17, 2020 at 1:14 PM

EU Privacy ShieldAfter years of uncertainty, the fate of the EU-U.S. Privacy Shield (“Shield”) has finally been determined. On July 16th, the EU’s highest court, the Court of Justice of the European Union (CJEU), declared the Shield to be invalid as a lawful mechanism for transferring the personal data of EU residents to the U.S.

This decision impacts thousands of U.S. companies receiving data from the EU, who, until now, relied on the Shield’s self-certification process to validate their operations, including such industry titans as Amazon, Google and Facebook. (A full list of Privacy Shield-certified companies can be found here). Managed in the U.S. by the Department of Commerce, the Shield allowed U.S. companies to keep their data processing activities under the watchful eye of U.S. regulators as opposed to that of the EU’s national supervisory authorities. However, in light of the CJEU’s decision, this is no longer the case.

So, where do we go from here? Shield-certified companies now must choose a different EU-approved mechanism for validating the transfer of EU personal data to the U.S. 

Alternative Mechanisms for Validating Transfers
Under Article 46 of the GDPR, other mechanisms for validating data transfers outside of EU borders include the following:

  1. Binding Corporate Rules (BCRs), a set of EU-vetted and legally enforceable rules for the processing of personal data when personal data is transferred between members of a corporate group or group of enterprises engaged in joint economic activity;

  2. Transfers to a select group of countries deemed “adequate” by the Commission (of which the United States is not one) on the basis that they offer a level of protection to personal data that is similar to EU protections; or

  3. European Commission’s Standard Contractual Clauses (SCC), a set of non-negotiable contract provisions which contractually bind the data importer to process EU data in accordance with the law of the EU Member State in which the data exporter is established. The SCCs (or “Model Clauses”) exist in two forms: (a) those governing international transfers between a data controller (also known as “data exporter”) based in the EU and a data processor (also known as “data importer”) based outside of the EU, and (b) those applicable to international transfers between EU-based data controllers and non-EU-based data controllers (such as in the case of corporate affiliates).

Standard Contractual Clauses – the next best option
It is likely that most U.S. companies who built their compliance programs upon the Shield’s self-certification process will now turn to the EU Commission’s SCCs for validating their data processing activities in the U.S. The clauses are convenient in terms of eliminating regulatory filings of any kind. That said, they do require companies to verify that appropriate safeguards exist (from the point of collection in the EU to the destination country) to protect an individual’s personal data. Further, final authority on the sufficiency of such safeguards will be left in the hands of EU data protection authorities, not the U.S. Department of Commerce. The SCCs will also require that U.S.-based data importers be familiar with EU data protection laws, including the data protection laws of each EU Member States from which the data is collected for processing in the U.S.

If your business is impacted by this recent CJEU ruling - whether your organization is a self-certified Shield entity or it shares EU personal data with a 3rd party vendor or other 3rd party that is Shield-certified - our team of privacy attorneys, which includes dual U.S.- and EU-qualified counsel, can assist with evaluating your options and developing a compliance plan for your international transfers of data that will simultaneously meet the requirements of both U.S and EU laws. For more information, please contact Stephan Grynwajc at stephan@outsidegc.com or 347-543-3035.


Stephan Grynwajc served as a senior in-house attorney for several blue-chip technology corporations (e.g., Intel and Symantec) in France, the U.K. and the U.S., and today, focuses his practice on advising U.S.-based clients on navigating the EU privacy landscape. stephan@outsidegc.com



Topics: Privacy, Data Privacy, EU Data Protection, GDPR, EU-U.S. Privacy Shield, privacy compliance

Subscribe to our Blog

Popular Posts

This publication should not be construed as legal advice or a legal opinion on any specific facts or circumstances nor an offer to represent you. It is not intended to create, and receipt does not constitute, an attorney-client relationship. The contents are intended for general informational purposes only, and you are urged to consult your attorney concerning any particular situation and any specific legal questions you may have. Pursuant to applicable rules of professional conduct, portions of this publication may constitute Attorney Advertising.

Outside GC is an innovative approach to legal services for growing and mature businesses. Companies who engage Outside GC fall into two main categories: (1) those without in-house counsel who need regular, on-going legal support but do not wish to hire a full-time in-house lawyer, and (2) those with in-house counsel who do not wish to add more full-time resources to their existing in-house staff. Contact us to speak to one of our on-demand attorneys.