The End of the Privacy Shield. How Should You React and What Should You Do With Your Cloud Data?

On 16 July 2020, the Court of Justice of the European Union declared the Privacy Shield transfer mechanism invalid. 

What does it mean and why is it a problem for the EU business? 

Say simple, before there were 3 ways of transferring the personal data of the EU residents to the United States: 
  1. Privacy Shield
  2. Standard Contractual Clauses
  3. Binding Corporate Rules

The Court of Justice decided that Privacy Shield could not ensure that EU residents’ data would be safe from U.S. government surveillance and that there would be an effective remedy in case of infringement of EU residents’ rights.

What is the problem for EU companies?

Amazon-AWS, Microsoft-Azure, and Google are US-based companies. Meaning all the US companies handling personal data of the EU residents can be forced to permit access to this data to the US authorities. Even though the above companies operate separately in a variety of countries, however, they are still affiliated with each other and therefore, might be compelled to provide the data to the US authorities. 

What are the options? 

There are still 2 viable ways of safe transferring:
  1. Standard Contractual Clauses. It’s possible to use pseudonymization, which is covered in GDPR, but only if it would not possible to attribute the specific data to the relevant person without additional data that is kept separately.  
  2. Binding Corporate Rules. However, there is an issue that Binding Corporate Rules should be approved by the relevant supervisory authorities before they entering into effect. However, if decided that Binding Corporate Rules were unable to provide appropriate security for the EU data, this way could be also invalidated.

Thus, even though the Privacy Shield was dropped, there are still viable ways to protect the EU residents’ personal data. 

Here at ZeroTolerance, we can assist you with adopting and amending your Data Protection Policies in compliance with the EU and US data protection requirements. Should you need our assistance or require more information please contact us at