January 19, 2021

The Privacy Shield has been invalidated. Is my data still safe?

By Suzy Bibko, Content Marketing Manager, EMEA

On July 16, 2020, in a case examining transfers of Personally Identifiable Information (PII) from the EU, the Court of Justice for the European Union (CJEU) issued a ruling invalidating the use of the Privacy Shield Framework as it did not comply with the level of protection required under EU law. As a result, the way data is transferred between the EU and US must be done under a different mechanism than the Privacy Shield to be compliant with EU law.

What is the Privacy Shield?
The Privacy Shield was developed from the EU’s General Data Protection Regulation (GDPR) as a way of meeting the GDPR’s requirements. The Privacy Shield was developed and agreed to in 2016 to enable US organizations certified under the program to legitimately receive PII from the EU. Under the Privacy Shield, organizations were deemed to provide ‘adequate’ protection of personal information as required by the GDPR if they abided by seven Privacy Shield principles.

Why was it invalidated?
The case brought before the CJEU questioned whether the Privacy Shield and Standard Contractual Clauses (SCCs) provided sufficient safeguards to personal information when it enters and/or leaves the EU. The court ruled that the Privacy Shield does not meet the GDPR standard, although SCCs can be used to do so.

How can organizations transfer data without the Privacy Shield?
The GDPR standard is still the highest standard for data protection (remember, the Privacy Shield was developed from it and fell under it) in the EU. Thus, if an organization complies with GDPR, data can still be transferred between the EU and US. And, as mentioned above, SCCs are also valid mechanisms to ensure safe and legal transfer of data across the Atlantic.

Is my data still safe with Datasite?
Yes. Despite the invalidation of the Privacy Shield, Datasite complies with all applicable data protection laws, including GDPR, and continuously invests in its privacy and security processes.

Our commitment includes:

  • Ensuring that all United Kingdom and EU projects are stored in the EEA; with servers located in Germany and serviced by the Client Services team in the United Kingdom.

  • Continuing to invest in European client support and hosting facilities to preserve full localization of projects in the EEA.

  • Providing Data Processing Agreements (DPAs) for clients that include a Standard Contractual Clause (SCC) stating that clients agree to provide data in compliance with the GDPR.

Brexit Checklist

Check out our updated Brexit Data Room Checklist to understand what you now need to have in place with your data room provider to be compliant.

GET CHECKLIST

Ready to Get Started?

You may also like:

Market Spotlight: Distressed Deals in EMEA – Will History Repeat Itself?

Events in Europe are already affecting the successes enjoyed by dealmakers in 2021. Is the current situation similar to the 2007-08 crisis? Will restructuring and distressed M&A increase in EMEA in the coming months?

Market Spotlight: Keeping up with LATAM's Fintech Boom

Latin America may not spring to mind as an obvious venture capital hub. But the volatile political and economic history that has often deterred investors, has an upside. Potential is vast, innovation is buzzing, and now growth is flourishing as money floods into the region.

Why Data Protection, Security & Compliance are Essential for Dealmaking

Four years on from GDPR and data protection remains essential for dealmakers. Why? What are the risks if you don’t have the right security in place and don’t comply with GDPR? How do you make sure your deal data is properly protected? And how does that benefit you and your deal in the end?