GDPR Takes Down EU-US Privacy Shield

GDPR Takes Down EU-US Privacy Shield

Profile picture for user VinayJoosery
Vinay Joosery
04 August 2020

On July 17th, 2020, the Court of Justice of the EU (CJEU) invalidated the EU-US Privacy Shield

GDPR Takes Down EU-US Privacy Shield


Over 5000 companies relied upon that framework to transfer data from EU to US. Among them, we can find the world’s biggest cloud vendors - Amazon, Microsoft, IBM and Google. 

That’s not great news if you are storing your data with one these cloud providers… and who doesn’t? 

What is Privacy Shield?

The EU-US Privacy Shield is a framework designed by the EU and US to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the EU to the US in support of transatlantic commerce. 

As technology companies gather large amounts of data on people, there is a concern that data about EU citizens flowing to third countries would be at risk. Data transfer out of the EU is not illegal, as long as the third country has a level of data protection that is equivalent to that offered within the EU.

The Privacy Shield gave a sense of legitimacy to US cloud services, but EU based companies now face a dilemma - store your data with a US cloud vendor and run the risk of breaking the GDPR

What is Privacy Shield?

Standard Contractual Clauses (SCCs)

Now, companies in the EU can still transfer personal data to the US under standard contractual clauses (SCCs). These are standard sets of terms and conditions which the sender and the receiver of personal data both sign up to, aimed at protecting personal data leaving the EU. They are effectively contractual obligations in compliance with the GDPR’s requirements in territories which are not considered to offer adequate protection to the rights and freedoms of data subjects.

However, these standard clauses are being questioned by regulators in the different EU countries. 

It is now up to the local regulators to determine whether the use of SCCs is valid in a particular use-case and country. In Ireland, the Data Protection Commissioner says "the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable”. Some local regulators have gone further, with Berlin’s data protection commissioner calling on Berlin-based companies to "return EU data currently stored in the U.S. back to the EU". 

So What's Next?

So what does it all mean to companies in the EU? Will there be a new framework to take over from Privacy Shield, just as Privacy Shield replaced Safe Harbour?

Facts are stubborn things. On one hand, we have the GDPR and its high ideals in human rights for EU personal data. On the other hand, we have the U.S. government mass surveillance programs. Unless the US changes its laws, it’s hard to see how a company can adhere to GDPR when they store their data with a US cloud vendor. 

It is important to remember that Backup Ninja allows you to specify exactly where you want your data to be stored. You can store your backups in a number of public clouds, including vendors that are entirely based within the EU or Switzerland.