red arrow pointing right
Back to insights

Invalidation of the EU-U.S. Privacy Shield Program

June 2021
June 2021

On July 16, 2020, the Court of Justice of the European Union invalidated the EU-U.S. Privacy Shield Program, claiming that it doesn't offer sufficient protection. This program is a framework approved by the U.S. government and the European Union detailing how to protect data transfers between these two regions.

The U.S. Department of Commerce, together with the European Commission, the Swiss Government, and other stakeholders, developed the framework for the Privacy Shield. Participating entities must self-certify to the Department of Commerce and commit to the Privacy Shield Principles in addition to supplemental requirements. Joining the Privacy Shield was voluntary, but once a company made a public commitment to comply, the terms of the commitment become enforceable under U.S. law.

How Does the Ruling Affect Businesses?

Although the Privacy Shield has been invalidated, the decision “does not relieve participants already committed to the EU-U.S. Privacy Shield of their obligations under the existing framework.” So, if a business has publicly committed, the terms still apply to them.

The European Data Protection Board (EDPB) provides guidance for FAQs, but there are still plenty of uncertainties about the situation. For instance, EU participants want stricter standards than what currently exists in the United States. There is no existing federal privacy law in the U.S., except in specific verticals like the HIPAA.

Companies can hire data security services to ensure confidentiality, but without an enforceable federal privacy standard, companies with business in the EU have no baseline for their operations. Many businesses have experienced ongoing confusion over the legalities of U.S.-EU data transfers, which negatively affects their operations, finances, and offerings in Europe.

What Are Other Implications of the Ruling?

Besides business interests, the ruling also affects academic institutions and non-governmental entities. Organizations that rely on access to data for policymaking, research, and international collaboration must also deal with the uncertainties. For example, the Federation of European Academies of Medicine and the European Science Advisory Council said that the uncertainty about sharing health data has put essential research and collaborations at risk, including ones that revolve around COVID-19 vaccines.

For larger companies and organizations, one solution is to store and process data locally. Microsoft has started doing this, storing and processing EU cloud customer data in the region. The announcement came with a reaffirmation of their “commitment to meeting EU data protection laws, including GDPR.”

However, there are those who might have to give up their business completely. The choice between expenses incurred with European-based processes or the risk of non-compliance can be too much for a small business or organization. Hiring a data privacy consultancy could offer a small business other options.

Standard Contractual Clauses: Offering Some Clarity

Risk mitigation may come through the recently-revised Standard Contractual Clauses (SCC). These clauses are designed for addressing complex scenarios of sensitive data transfer. SCCs have contractual obligations for both the receiver and the sender of data. Also, there is a need for case-to-case validation of the clauses and the level of protection they provide.

The European Commission’s website shows that two sets of SCCs exist. One addresses international transfers of personal data from the EU to processors. Meanwhile, the other handles transfers to controllers.


Following significant changes to data regulations in the EU, many organizations face uncertainties about managing, storing, and protecting the data of citizens and entities from the EU. If your company is concerned about data transfers between the U.S. and Europe, you need to be vigilant about changes in regulations and policies, as they can come unexpectedly.

Protect your business’ future with data privacy consulting services from Scaramanga. We are a consulting firm in Switzerland specializing in information security, compliance consulting, and data protection, offering end-to-end solutions for enterprises. Contact us for enquiries or book a consultation today!