Iubenda logo
Start generating


Table of Contents

The US Privacy Shield has been invalidated – Here’s what you need to know

📢 Important Update: EU-US Data Privacy Framework Agreement Reached! 🌍🤝

In light of this significant development, we have updated our coverage to reflect the latest information. To stay up-to-date on the new EU-US Data Privacy Framework agreement and its implications, we invite you to read our latest article on the topic.

🔍 Discover the latest: EU to USA Personal Data Transfers Now Approved

Thank you for your continued support and trust in our coverage of important global issues!

The latest ruling from the Court of Justice of the European Union on transfers outside of the EU came as quite a surprise to many and will directly impact the way that the data of EU based persons can be shared outside of the EU.

Following the decision of July 16, 2020 in Data Protection Commissioner v Facebook Ireland Ltd, Maximilian Schrems and intervening parties, Case C-311/18, businesses can no longer rely on the US Privacy Shield as a condition for cross-border data transfer under the GDPR as the shield had been invalidated.

We have compiled some preliminary information for you on the specifics of this decision and will keep you updated here on medium in the coming weeks and months, should anything notable happen.

Here is what you need to know

About the Privacy Shield

  • Normally, to transfer personal data of EU users outside of the EU, you need to meet the conditions outlined in articles 44-50 GDPR. These conditions ensure that you are able to meet EU standards of protection when handling the private of EU-based persons. For example, if you store personal data from EU citizens on a server in the United States, you will need to base this transfer on one of the existing compliance mechanisms.
  • Previously, US companies could become certified under the Privacy Shield to be a safe destination for EU personal data. Therefore when a Privacy Shield certified company received such data, this activity would not need any specific authorization.

Post-Court of Justice of the European Union ruling (Privacy Shield Invalidated)

  • The EU Court of Justice has ruled that the Privacy Shield’s system is in fact invalid. This means that transfers that previously relied upon the Privacy Shield now need to look elsewhere to be compliant.
  • However, SCC’s (Standard Contractual Clauses), binding corporate rules (BCRs) or express, informed consent can still apply. In the later case, the user must be explicitly informed of all risks involved in the cross-border transfer of their data before their consent can be obtained.

iubenda’s response – and how our clients can stay up to date with this latest compliance requirement

We’re currently making all the necessary changes to our product clauses wherever Privacy Shield impacts our product (in this case, the privacy policy disclosures).
If you’d like to update your processes to match the ruling of the Court right away, you can begin by reviewing any data transfer you make to the US (e.g. you use a vendor or tool that’s run by a US company).

If the data transfer was based on the Privacy Shield you’ll need to check whether or not that provider is now offering an alternative legal basis to justify data transfers, such as Standard Contractual Clauses integrated into the contract with the vendor, or explicit consent, for example.

To access more information and keep track of further developments, follow iubenda here on medium or on twitter.

About us


Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.