Woman in business attire sips coffee whilst reading legal documentation
1 min read

EU-US Privacy Shield Invalidated in EU Ruling

Posted by Picture of Team B.E. Team B.E.

In mid-July, with so much of the news coverage focused on various aspects of Covid-19, such as the long-awaited re-opening of pubs and restaurants, an important landmark ruling by the European Court of Justice (ECJ) may have been overlooked.

In a case brought forward by Max Schrems, the fate of the EU-US Privacy Shield was on the chopping block, with the decision ultimately falling in favour of invalidating the mechanism. Up till now, the Privacy Shield has allowed companies to comply with data protection requirements when transferring data between the EU and the United States.

The ECJ agreed that the Privacy Shield did not provide adequate protection to EU and UK citizens from the monitoring and investigations of the US government, therefore could no longer justify its use to move and store data in the US. This means that any company that has previously been transferring EU and UK residents’ personal data to the US could now be doing so unlawfully. The transfer of such data is estimated to affect over 5,000 companies with an estimated trade value of £5.6 trillion.

This leads to the obvious question of ‘do you know where all your client’s data is stored?’. If it is in the US, and the Privacy Shield has been used as justification for the location of the transfer and the storage of the data, then you will need to ensure that separate ‘standard contractual clauses’ are signed and agreed upon. Large well-known companies such as Microsoft already use them and remain unaffected by this ruling.

Return to listing