Transfer of Personal Data to the United States Following Invalidation of the Privacy Shield

Can I transfer personal data to the United States? Can I use a provider which stores personal data in the US? How do I need to deal with this data flow?

These are the questions which many companies are asking themselves following the invalidation of the Privacy Shield by the Court of Justice of the European Union (CJEU).

The “Privacy Shield” was an agreement between the EU and the US which allowed the transfer of personal data from the EU to the US. This agreement had been adjudged to be appropriate by the European Commission, thus forming the “justification” for all transfers of personal data to the US.

In July 2020 the Court of Justice of the European Union was called on to once again pass judgement on the suitability of the Privacy Shield, finding that United States law involved limitations to the protection of personal data which are not reconcilable with the GDPR. For this reason, the CJEU declared the previous decision on the agreement’s suitability to be invalid.

A regulatory void was thus created, and companies which had been transferring data to the US on the basis of the Privacy Shield have suddenly found themselves without a tool allowing such transfers.

Even with the demise of the Privacy Shield, there are other tools which, if properly managed, can allow data to be transferred to the US. We will analyze in detail what they are and in which cases they should be used.