646 666 9601 [email protected]

The EU-US Privacy Shield is most likely the most regularly utilised method for US enterprises to legitimately receive, handle, retain, and transmit personal information of EEA residents.

GDPR Compliance for US Businesses

On July 16, 2020, the EU Court of Justice (CJEU) declared that the EU-US Privacy Shield safeguards were unlawful because US law cannot effectively protect personal data of persons in the European Economic Area (EEA). Prior to this ruling, the EU-US Privacy Shield was most likely the most regularly utilised method for US enterprises to legitimately acquire, process, retain, and transmit personal information from EEA residents. The judgement was partly based on the conclusion that the US government does not restrict foreigner monitoring to what is absolutely required, and that both federal and state legislation in the US lack suitable remedies for people in the EEA.

Fortunately, there are still solutions recognised by the EU’s General Data Protection Regulation (GDPR) for enterprises in the US that handle personal data of EEA residents. Standard contractual clauses (SCCs) and binding company standards are two of these choices (BCRs). SSCs are provisions in data transfer or processing agreements that attempt to safeguard personal data in line with GDPR. BCRs are company-adopted policies relating to GDPR-compliant data transfer and processing procedures.

It is worth noting that the EU Commission is in the process of upgrading the approved SCCs. A previously ongoing procedure that has been halted awaiting the outcome of the CJEU judgement. Now that the work has been resurrected, it is critical that enterprises intending to handle personal data in the US monitor the issuing of any new SSCs and perhaps integrate the capacity to replace or alter such agreements when the new SSCs are published.

The US has been working to comply with the EU-US Privacy Shield framework, with officials from both the US and EU stating that “the US Department of Commerce and the European Commission have initiated discussions to evaluate the potential for an enhanced EU-US Privacy Shield framework to comply with the Court of Justice of the European Union’s July 16 judgement in the Schrems II case.” “The Department of Commerce will continue to manage the Privacy Shield programme, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List,” according to the Interim.

Despite the US Department of Commerce’s commitment to the programme, the European Data Protection Board (EDPB) has said that there is no grace period for firms who only operate under the EU-US Privacy Shield system. As a result, firms transferring and/or processing personal data of EEA citizens must immediately establish further protections to verify that they are in compliance with the GDPR standards.

Companies that are presently certified under the EU-US Privacy Shield system should consider continuing compliance in order to prevent any difficulties with the declarations made to those authorities, based on the statements made by the relevant US agencies. “[W]e will continue to hold firms responsible for their privacy obligations, including pledges made under the Privacy Shield,” stressed the FTC’s Chairman.

Even if a firm is not certified under the EU-US Privacy Shield, if it is transmitting or processing personal data of EEA citizens, the company should implement suitable safeguards, such as SSCs and/or BCRs, to be in compliance with GDPR. Companies may depend on particular exclusions known as “derogations for special circumstances.” The European Data Protection Board’s “Guidelines 2/2018 on derogations from Article 49 under Regulation 2016/679” go into great length on this. However, in order to avoid responsibility under GDPR, it is essential to verify that an applicable derogation exists, or that the relevant SCCs or BCRs are in place.

Table of Contents


If your organisation receives, transports, or processes personal data from the EEA, you must guarantee GDPR compliance, especially if you previously relied on the EU-US Privacy Shield to assure compliance. Following the July 16, 2020 judgement that invalidated the EU-US Privacy Shield provisions, it has been claimed that there is no safe harbour or grace time to come into compliance. As a result, confirming that one of the derogations applies to your company’s position, or adopting relevant SCCs or BCRs to enable GDPR compliance, is a need that should be handled as soon as possible.