The Privacy Shield has been invalidated. Is my data still safe?

By Suzy Bibko, Content Marketing Manager, EMEA

On July 16, 2020, in a case examining transfers of Personally Identifiable Information (PII) from the EU, the Court of Justice for the European Union (CJEU) issued a ruling invalidating the use of the Privacy Shield Framework as it did not comply with the level of protection required under EU law. As a result, the way data is transferred between the EU and US must be done under a different mechanism than the Privacy Shield to be compliant with EU law.

What is the Privacy Shield?
The Privacy Shield was developed from the EU’s General Data Protection Regulation (GDPR) as a way of meeting the GDPR’s requirements. The Privacy Shield was developed and agreed to in 2016 to enable US organizations certified under the program to legitimately receive PII from the EU. Under the Privacy Shield, organizations were deemed to provide ‘adequate’ protection of personal information as required by the GDPR if they abided by seven Privacy Shield principles.

Why was it invalidated?
The case brought before the CJEU questioned whether the Privacy Shield and Standard Contractual Clauses (SCCs) provided sufficient safeguards to personal information when it enters and/or leaves the EU. The court ruled that the Privacy Shield does not meet the GDPR standard, although SCCs can be used to do so.

How can organizations transfer data without the Privacy Shield?
The GDPR standard is still the highest standard for data protection (remember, the Privacy Shield was developed from it and fell under it) in the EU. Thus, if an organization complies with GDPR, data can still be transferred between the EU and US. And, as mentioned above, SCCs are also valid mechanisms to ensure safe and legal transfer of data across the Atlantic.

Is my data still safe with Datasite?
Yes. Despite the invalidation of the Privacy Shield, Datasite complies with all applicable data protection laws, including GDPR, and continuously invests in its privacy and security processes.

Our commitment includes:

• Ensuring that all United Kingdom and EU projects are stored in the EEA; with servers located in Germany and serviced by the Client Services team in the United Kingdom.
  
  
• Continuing to invest in European client support and hosting facilities to preserve full localization of projects in the EEA.
  
  
• Providing Data Processing Agreements (DPAs) for clients that include a Standard Contractual Clause (SCC) stating that clients agree to provide data in compliance with the GDPR.