EU-US Data Privacy Shield Invalidated

The EU Court of Justice (ECJ) has invalidated the EU-US Data Privacy Shield, an agreement that governs transatlantic data transfers, saying basically that US law does not protect EU citizens’ data to the extent required by EU law. 

In an article for Forrester, analyst Enza Iannopollo stated, “about 5,000 companies currently rely on the framework to transfer personal data to the US, and these transfers contribute to transatlantic trade, which is worth about £5.6 trillion.

To comply with the court’s ruling, Iannopollo said, companies must take the following steps:

  • Map out your data transfers.
  • Assess alternatives and adopt standard contract clauses (SCCs) with caution.
  • Review third parties’ data flows and contracts.
  • Assess changes to data transfers from Europe to countries beyond the United States.
  • Green-light transfers to “adequate countries.”

The ruling prompted Microsoft to issue assurance to its customers that its services remain in compliance with EU law.