January 19, 2021

The Privacy Shield has been invalidated. Is my data still safe?

By Suzy Bibko, Content Marketing Manager, EMEA

On July 16, 2020, in a case examining transfers of Personally Identifiable Information (PII) from the EU, the Court of Justice for the European Union (CJEU) issued a ruling invalidating the use of the Privacy Shield Framework as it did not comply with the level of protection required under EU law. As a result, the way data is transferred between the EU and US must be done under a different mechanism than the Privacy Shield to be compliant with EU law.

What is the Privacy Shield?
The Privacy Shield was developed from the EU’s General Data Protection Regulation (GDPR) as a way of meeting the GDPR’s requirements. The Privacy Shield was developed and agreed to in 2016 to enable US organizations certified under the program to legitimately receive PII from the EU. Under the Privacy Shield, organizations were deemed to provide ‘adequate’ protection of personal information as required by the GDPR if they abided by seven Privacy Shield principles.

Why was it invalidated?
The case brought before the CJEU questioned whether the Privacy Shield and Standard Contractual Clauses (SCCs) provided sufficient safeguards to personal information when it enters and/or leaves the EU. The court ruled that the Privacy Shield does not meet the GDPR standard, although SCCs can be used to do so.

How can organizations transfer data without the Privacy Shield?
The GDPR standard is still the highest standard for data protection (remember, the Privacy Shield was developed from it and fell under it) in the EU. Thus, if an organization complies with GDPR, data can still be transferred between the EU and US. And, as mentioned above, SCCs are also valid mechanisms to ensure safe and legal transfer of data across the Atlantic.

Is my data still safe with Datasite?
Yes. Despite the invalidation of the Privacy Shield, Datasite complies with all applicable data protection laws, including GDPR, and continuously invests in its privacy and security processes.

Our commitment includes:

  • Ensuring that all United Kingdom and EU projects are stored in the EEA; with servers located in Germany and serviced by the Client Services team in the United Kingdom.

  • Continuing to invest in European client support and hosting facilities to preserve full localization of projects in the EEA.

  • Providing Data Processing Agreements (DPAs) for clients that include a Standard Contractual Clause (SCC) stating that clients agree to provide data in compliance with the GDPR.

Brexit Checklist

Check out our updated Brexit Data Room Checklist to understand what you now need to have in place with your data room provider to be compliant.

GET CHECKLIST

Ready to Get Started?

You may also like:

Grow Big or Go Home: M&A Acceleration in the US Tech Industry

The explosive growth of the tech industry has created a wealth of opportunities for mergers and acquisitions. Read the highlights from several technology expert panelists sharing their forecasts for the future in tech on our recent live sector spotlight webinar US Tech Opportunities, presented with Mergermarket.

Male Professional Working at Laptop PC on Rooftop
5 Things You Didn't Know a Data Room Could Do for You

The latest and greatest software features aren’t just for your phone anymore. In the face of longer, more complex deals, the data room industry continues to innovate.

Shanghai China city aerial
7 Datasite Features You're Missing Out On

Look, we know. You’re busy. So let us help you save time. If your VDR is simply a repository for documents, you’re missing out on timesaving and productivity benefits that can add up to hundreds of hours.

Female Professional Looking up at the Sky