Privacy Shield invalidated: what this means for your data flows to the US

The EU-U.S. Privacy Shield was an agreement between the US Department of Commerce and the European Commission on the exchange of personal data between companies in the EU and the US. The Privacy Shield was in effect on August 1, 2016.

However, on 16 July 2020, the Court of Justice of the European Union (EU) declared the EU-US privacy shield invalid in the Schrems II case. This means that organizations in the EU can no longer pass on personal data to the United States (US) on the basis of the privacy shield.

The General Data Protection Regulation (GDPR) states that personal data may not simply be passed on to persons or organizations located in countries outside the European Economic Area (third countries), such as the US. This is only allowed if the security level for personal data guaranteed by the GDPR is not undermined in those third countries.

Our in-house Governance & Security Consultant, Tom Koonen, has further researched the consequences of the Privacy Shield cancellation. To inform you as well as possible about this, Tom has looked at the impact this may have on our company as well as our customers.