20/04/2022

A recent joint announcement from the US and EU states a new Privacy Shield has been agreed in principle. This news will be a relief to many organisations responsible for the flow of personal data between the US and the EU.

Until 2020, Privacy Shield was the main mechanism under which personal data could be transferred between organisations in the EU and the US while complying with the EU’s data protection regime (specifically the General Data Protection Regulation, or GDPR).

However, in July 2020 the Court of Justice of the European Union ruled Privacy Shield invalid in the case of Data Protection Commissioner v Facebook Ireland Ltd, Maximillian Schrems (Schrems II). The court held the scheme was invalid because the US was unable to offer certain guarantees in order to protect data subjects’ rights.

Without the scheme, organisations have been forced to turn to other more cumbersome methods to legitimise data flows into/out of the US. The situation was further complicated by the UK’s withdrawal from the EU and recent issue of its own international data transfer mechanism (the ‘International Data Transfer Agreement’), and the EU’s release of updated data transfer precedent clauses (‘Standard Contractual Clauses’).

A clear, unambiguous and updated reissue of Privacy Shield has the potential to significantly ease data flows between the EU and the US. In particular, it may streamline data protection compliance where EU entities use US processors, such as Amazon Web Services or Microsoft cloud storage.

However, the announcement indicates that the US will be countering the issues raised in Schrems II with policy changes, rather than changes in law. It remains to be seen whether this will be enough to satisfy the European Courts – Max Shrems has already indicated his organisation will be considering the final text closely, and is prepared to take the matter to court again.

The scheme itself does not relate to the UK directly; however, it is likely to be indicative of the near future for UK data protection regulation. In particular, recent comments from the Department for Digital, Culture, Media and Sport show the government is eager to allow organisations more flexibility to expand data processing. A UK-specific version of a new Privacy Shield agreement would be a key cornerstone for such a move.

Our use of cookies

We use necessary cookies to make our site work. We'd also like to set optional analytics cookies to help us improve it. We won't set optional cookies unless you enable them. Using this tool will set a cookie on your device to remember your preferences. For more detailed information about the cookies we use, see our Cookies page.

Necessary cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytics cookies

We'd like to set Google Analytics cookies to help us to improve our website by collection and reporting information on how you use it. The cookies collect information in a way that does not directly identify anyone.
For more information on how these cookies work, please see our Cookies page.