The fall of privacy shield

A reminder on the privacy shield

The Privacy Shield was the framework agreed upon and required with the EU data protection requirements for all data transfer between the United States and the EEA. It was designed to offer adequate personal information protection by asking companies and organisations to abide by Privacy Shield principles:

1. Companies must display privacy practices, participation in the framework, and how they collect, use and share EU data.
2. Individuals must consent to the collection and use of their data. They can also opt-out.
3. Organisations are accountable for third-party data processes.
4. Organisations must take preventive measures against data loss, exposure, or damage.
5. Data processing is limited to the explicit purposes mentioned.
6. Data owners can request access, amendment and deletion of their data.
7. In case of non-compliance, organisations face recourse, enforcement and liability consequences

Why the privacy shield ended

The Privacy Shield fell following Austrian privacy advocate Max Schrems's complaint that the framework does not meet GDPR standards.

The Court of Justice of the European Union recognised two crucial issues that have driven the fall of the Privacy Shield. Firstly, US law enforcement can access more personal data than strictly necessary, violating the GDPR terms. Secondly, the ombudsperson appointed within the frame of Privacy Shield has no authority to make binding decisions on US authority organisations. Therefore, EU citizens have no recourse against the US government for privacy violations.

The case, numbered C 311/18, is referred to as Schrems II judgement or ruling. It marks the end of Privacy Shield. It is worth mentioning that this is the second ruling influenced by Max Schrems privacy concerns. Schrems I invalidated US Safe Harbor between the US and the EU.

What does it mean for UK companies?

The Schrems II verdict officially shut down the framework for data transfer between the EU and the US. However, for US companies, it is worth mentioning that Schrems II does not attempt to shut down all forms of data transfer between the two business regions. It merely invalidates the previously agreed framework.

Companies can continue using Standard Contractual Clauses, SCCs, which are still valid according to the CJEU's ruling. SCCs remain, as of now, a lawful basis for the transfer of data as long as those responsible for the data export and import ensure an adequate level of data privacy protection. However, should a breach occur, it is unknown regarding the way the courts will view the attempts made to safeguard the data.

How does the Schrems II rule affect the UK?

A UK provider could be the answer companies need. Indeed, at Click4Assistance, we have worked extensively with the EU and GDPR for several years. The UK officially left the EU on 1 January 2021 with Brexit. However, while Brexit regulations essentially place the UK outside the EU and GDPR requirements, GDPR standards have been an essential part of our chat for website services. We understand and comply with EU data privacy requirements for data transfer.

Since Brexit the UK has become a third country, in other words, a country that has not yet any agreement with the EU regarding data privacy. This leaves the UK in a unique position. Indeed, the UK has compliance experience with GDPR. GDPR requirements for data privacy transfer have been in place in the UK since May 2018. While Brexit doesn’t invalidate our data privacy experience and best practices.

Additionally, the UK and the US have yet still to design a trade agreement, which could also affect data transfer privacy. Through its bridge position between the US and the EU, the UK could offer different levels of protection depending on the origin of the data.

Maintaining international data privacy

Companies have essential four different solutions to respond to the fall of Privacy Shield.

1. They could stop all forms of data transfer between the US and the EU residents, making business relationships difficult.


2. They could stop business with the US.


3. They could maintain the Privacy Shield framework and convert to SCCs. As the Swiss-US Privacy Shield remains untouched for now, it would make sense to maintain the existing framework and use SCCs to tackle Switzerland and EU/US based transfers.


4. They could abandon the framework and convert to SCCs. This would be an effective solution, however, many US companies have not yet established the necessary SCCs. Working with a knowledgeable UK provider could make a significant difference.

How about using a UK provider?

We strongly recommend companies seek an answer to add chat to the website. Indeed, a secure chat provided by a UK company can serve multiple purposes. First of all, UK businesses are familiar with GDPR, as the regulation was first implemented BEFORE Brexit. Secondly, ensuring data remains within the UK negate the need for SCCs commitments. As the UK also maintains and preserves business relationships with the EU, privacy considerations are a priority. Thirdly, data transfer with the UK only can present fewer restrictions in the light of a US-UK post-Brexit trade agreement.

Are you wondering how to overcome the data transfers challenges with the EU since the fall of Privacy Shield? Partner with a UK chat provider for secure data. At Click4Assistance, we've got a long experience of data privacy regulations with the EU; therefore, we can offer one of the most reliable and secure solutions in terms of chat for websites.