January 19, 2021

The Privacy Shield has been invalidated. Is my data still safe?

By Suzy Bibko, Content Marketing Manager, EMEA

On July 16, 2020, in a case examining transfers of Personally Identifiable Information (PII) from the EU, the Court of Justice for the European Union (CJEU) issued a ruling invalidating the use of the Privacy Shield Framework as it did not comply with the level of protection required under EU law. As a result, the way data is transferred between the EU and US must be done under a different mechanism than the Privacy Shield to be compliant with EU law.

What is the Privacy Shield?
The Privacy Shield was developed from the EU’s General Data Protection Regulation (GDPR) as a way of meeting the GDPR’s requirements. The Privacy Shield was developed and agreed to in 2016 to enable US organizations certified under the program to legitimately receive PII from the EU. Under the Privacy Shield, organizations were deemed to provide ‘adequate’ protection of personal information as required by the GDPR if they abided by seven Privacy Shield principles.

Why was it invalidated?
The case brought before the CJEU questioned whether the Privacy Shield and Standard Contractual Clauses (SCCs) provided sufficient safeguards to personal information when it enters and/or leaves the EU. The court ruled that the Privacy Shield does not meet the GDPR standard, although SCCs can be used to do so.

How can organizations transfer data without the Privacy Shield?
The GDPR standard is still the highest standard for data protection (remember, the Privacy Shield was developed from it and fell under it) in the EU. Thus, if an organization complies with GDPR, data can still be transferred between the EU and US. And, as mentioned above, SCCs are also valid mechanisms to ensure safe and legal transfer of data across the Atlantic.

Is my data still safe with Datasite?
Yes. Despite the invalidation of the Privacy Shield, Datasite complies with all applicable data protection laws, including GDPR, and continuously invests in its privacy and security processes.

Our commitment includes:

  • Ensuring that all United Kingdom and EU projects are stored in the EEA; with servers located in Germany and serviced by the Client Services team in the United Kingdom.

  • Continuing to invest in European client support and hosting facilities to preserve full localization of projects in the EEA.

  • Providing Data Processing Agreements (DPAs) for clients that include a Standard Contractual Clause (SCC) stating that clients agree to provide data in compliance with the GDPR.

Brexit Checklist

Check out our updated Brexit Data Room Checklist to understand what you now need to have in place with your data room provider to be compliant.

GET CHECKLIST

Ready to Get Started?

You may also like:

Market Spotlight: Pivoting towards Southeast Asia

Through most of our current era of globalization that took off in the final decade of the previous century, China was the principal benefactor as advanced economies from around the globe looked to it as the ‘factory of the world’. Though still integral to many globalized processes, China’s maturing economy is now pivoting more towards serving its domestic market. This may open opportunities for other countries, such as high-growth Southeast Asian economies like Vietnam and the Philippines, to pick up some slack.

Tokyo Japan Skyline
Promoting Operational Improvements in the Deal Lifecycle

Managing a group of successful dealmakers requires having the best tools at your disposal. The right technology can help your team overcome some common productivity challenges and ensure you have the visibility to make critical operational decisions.

Hong Kong
Market Spotlight: Restructuring in Russia, CIS, and CEE

What lies ahead for dealmaking in Russia, CIS, and CEE now that COVID – at least in some markets – is beginning to subside? Have we already seen the worst or should we expect more liability management and debt restructuring deals going forward?