EU-US Privacy Shield invalid: now what?

Publication date: 27 August 2020
The EU-US Privacy Shield has been invalidated. This means that companies need another legal basis for the transfer of data of EU citizens to the US. It is strongly recommended to quickly implement appropriate alternative safeguard mechanisms, e.g. Standard Contractual Clauses or Binding Corporate Rules.


On 16 July 2020, the Court of Justice of the European Union invalidated the EU-US Privacy Shield in Case C-311/18 (called: ‘Schrems II’). The decision greatly impacts companies that based their data transfers between the EU and the US on the Privacy Shield. Where to go from here?

A step back: what is the EU-US Privacy Shield?

All EU member states and the three additional EEA countries (Norway, Iceland and Liechtenstein) have implemented the EU General Data Protection Regulation (‘GDPR’) in their national laws. Countries not complying with the GDPR are referred to as third countries. Following from the GDPR, personal data can only be transferred to a third country if that country offers an adequate level of data protection. The GDPR offers a wide range of safeguard mechanisms based on which data can be transferred to third countries, amongst others:

  • Adequacy decisions from the European Commission, stating that a third country ensures an adequate level of data protection for EU personal data;
  • Binding corporate rules (‘BCRs’), in which an organization lays down the safeguards for the protection of personal data when transferring to third countries within a group of companies;
  • Standard contractual clauses (‘SCCs’), being model clauses for data protection that have been approved by the European Commission.

The US is a third country and does not offer an adequate level of data protection. In order to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements following from the GDPR relatively easily, the EU-US Privacy Shield was created. US companies were given the opportunity to voluntarily comply with this framework through certification, which companies were recorded by the US Department of Commerce. If a US company was not certified under this framework, contractual arrangements complying with the GDPR had to be made. The framework allowed free transfer of data from the EU to US companies that were certified under the Privacy Shield. The European Commission recognized the US, limited to the Privacy Shield framework, as providing adequate protection as required by the GDPR in an adequacy decision.

Schrems II

In Schrems II the Court of Justice of the European Union ruled that:

  1. The Privacy Shield does not provide an adequate level of data protection between the EU and the US, and therefore is invalid; and
  2. The Standard Contractual Clauses approved by the European Commission remain valid. However, additional protections need to be implemented when SCCs are used as a legal basis for data transfers. The data exporter is responsible for the assessment of whether the level of data protection offered by the countries to which data are sent is adequate. The exporter must take into consideration the content of the SCCs, the specific circumstances of the transfer and the legal regime applicable in the importer’s country.

Please note: according to the European Data Protection Board (‘EDPB’) these additional protections also need to be taken into account when BCRs are used as a legal basis.

A step forward: where do we go from here?

As a result of the immediate effect of the decision, data transfers on the basis of the Privacy Shield are illegal as from 16 July 2020.

Therefore, we would like to provide you with some points of attention:

  1. If EU and US companies wish to continue to transfer data between the EU and the US, it is strongly recommended to quickly implement appropriate alternative safeguard mechanisms, e.g. Standard Contractual Clauses or Binding Corporate Rules, in order to at least provide for a legal basis for transferring data. Having a legal basis in itself, however, does not necessarily ensure an adequate level of data protection.
  2. When implementing either SCCs or BCRs, the level of data protection in the importing country needs to be assessed, taking into account the factors mentioned under ii and supplementary measures that can be put in place in order to provide an adequate level of data protection. Supplementary measures could be legal, technical (e.g. encryption) or organizational measures. The SCCs or BCRs along with possible supplementary measures should ensure that US law does not intrude in the adequate level of data protection they guarantee. This requires a case-by-case analysis and assessment of the circumstances of the transfer. As a controller, make sure to check whether your processor uses services from the US (e.g. Google Analytics).
  3. If, in any case, appropriate safeguards cannot be ensured, the data exporter is required to suspend or end the transfer of personal data. You must notify your competent Supervisory Authority if you intend to continue transferring data, despite this conclusion.
  4. Consider alternatives:
    1. Investigate whether it is possible to move data processing and storage to Europe
    2. Look for European alternatives for data services to work with and/or
    3. Conclude contracts only with a European subsidiary of any third country company if that ensures an adequate level of data protection.
  5. Meanwhile, the development of any alternative instruments or new safeguards by the EU Commission should be closely followed.

Please note: the US Department of Commerce has stated to continue to administer the Privacy Shield programme. The decision of the Court of Justice of the European Union does not relieve participating (certified) US companies of their Privacy Shield obligations. It is, however, possible to withdraw from the Privacy Shield. In that case the company must continue to apply the Privacy Shield principles to the data it received while participating in the Privacy Shield.

What can we do for you?

You can contact Russell Advocaten with all your GDPR-related matters. We will gladly help you assess how to comply with all requirements in order to be able to transfer data within and outside the EU. Please contact us:

    Share on social media

    • IT and ICT

    Privacy: New European Data Protection Regulation

    28 May 2015

    In this newsletter Russell Advocaten will inform you, in short, about the most important changes to be expected in the European data protection regulations. More detailed information on this topic can be found in our previous newsletters.

    read on
    • Fashion and luxury
    • Contracts

    GDPR: Are you a processor or a controller?

    12 November 2018

    The new European privacy regulation creates a great deal of confusion. Do you comply with the GDPR?

    read on
    • IT and ICT
    • Employment law and dismissal

    Is your staff management ready for the GDPR?

    23 May 2018

    At the end of the week, on 25 May 2018, the General Data Protection Regulation (GDPR) comes into force. This does not just have consequences for your website or online shop but also for your staff management. Is it ready for the GDPR?

    read on
    • IT and ICT
    • Employment law and dismissal

    Uber drivers are employees, not self-employed workers

    14 September 2021

    According to the Amsterdam District Court, Uber drivers are employees. Therefore, they are covered by the collective agreement of the taxi industry with all associated rights and obligations. How did the District Court reach this judgement? And what does it mean for other forms of platform work?

    read on
    • Expats
    • Employment law and dismissal

    17 June 2021: Employment Webinar “Tricky sickness issues”

    17 June 2021

    If your employee reports sick, this may raise many difficult questions. What are your reintegration obligations during the sick leave period? What are you allowed to record about your sick employee with regard to the privacy legislation? We answered these and other questions during a webinar. Watch the video!

    read on
    • Expats
    • Administrative law and the environment

    The Netherlands: Gateway to Europe

    3 May 2021

    The Netherlands likes to present itself as “the gateway to Europe.” And not without reason: excellent travel connections (Schiphol Amsterdam Airport and Rotterdam Seaport) and a highly educated population speaking several languages.

    read on
    • Fashion and luxury
    • Contracts

    Contracts: How to restrict internet resale?

    5 February 2021

    Internet sale offers a wide range of possibilities to reach consumers, but how can suppliers control the Internet resale of their products? What is permitted? And what isn’t? What are the rights of your distributors?

    read on
    • IT and ICT
    • Corporate law

    2020: Mandatory registration in UBO register

    26 August 2020

    As of 27 September 2020, each newly established or already existing company in the Netherlands must register its UBOs in the UBO register at the Chamber of Commerce. How does that work? And how is the privacy of UBOs ensured?

    read on