How to navigate the invalidated Privacy Shield

Caroline McCaffery
April 27, 2021


“But what should I do, Caroline?”

This is the question that customers are asking me right now. With the Privacy Shield invalidated, many people want to know what they have to do about it. Generally, the advice I have heard from lawyers and privacy professionals seems to be “wait and see.” If you know me, then you know I am not a “wait and see” kind of person. Proactive approaches are best (it’s why I co-founded ClearOPS). With that in mind, I have outlined three key steps that I think B2B companies should take in response to this decision. I have and will provide them to any current customer (we have a 1-month free trial!). For those who aren’t customers yet, this short post compares what happened five years ago to what has happened to date, which explains why the “wait and see” advice is so common. I don’t think it’s necessarily bad advice, but I’m not switching my position that I lean towards taking action.

Stress Keeping You Up At Night? Me too

So, what happened? In a nutshell, the Privacy Shield treaty was invalidated as a method of personal data transfer from the EU to the US. This decision was made by the European Court of Justice. You can read the decision itself or continue reading here for my quick oversimplification of the events:

Max Schrems, an Austrian, signed up for Facebook. Facebook has a datacenter in Ireland and a datacenter in the US. Facebook transferred Mr. Schrems data from Ireland to the US. Mr. Schrems moved to Ireland and sued Facebook over that transfer arguing that such a transfer violated his rights as a citizen of the EU. In 2015, he won his case and the Safe Harbor treaty between the US and the EU was invalidated (standard contractual clauses remained valid). He sued again with roughly the same argument about the validity of the standard contractual clauses. The ECJ issued its opinion on July 16, 2020 and this time the new treaty that was established in response to the first decision, the Privacy Shield, between the US and the EU was invalidated. However, the standard contractual clauses were upheld as valid. So, if you relied on the Privacy Shield to authorize any personal data transfers from the EU to the US, then your business is affected and EU customers could be calling to cancel their contracts. If you rely on standard contractual clauses, don’t breathe a sigh of relief because those also don’t work for EU to US transfers due to US surveillance, see below.

As a side note, if you are wondering why it was invalidated, it has to do with the rights of the US government to surveil EU citizens personal data without due process. As US citizens, we are protected by Fourth Amendment rights (and other rights), but an EU citizen is not afforded the same protections. This issue is the same as was contested with the Safe Harbor. For the Privacy Shield treaty agreement, the US appointed an Ombudsperson who was supposed to alleviate the concerns of the EU because the Ombudsperson would provide fair and impartial judgement to claims made by EU citizens. While the decision is more nuanced (which I won’t get in to) and political (which I also won’t get in to), it is clear that the ECJ determined the Ombudsperson was not independent and not a tribunal, thereby not providing enough due process. Many argue that they foreshadowed the Schrems II decision because of this very (obvious) inadequacy.

So, let’s look back at history and create a side by side timeline. Clearly the right-hand column has yet to be completed since events are unfolding in real time, but I think the chart is useful as a map. Here we go:

Image for post

The US Department of Commerce has already announced that they will continue to enforce the Privacy Shield, so many are advising that companies do not withdraw. If you do withdraw, you will have to fill out a questionnaire, pay a withdrawal fee and suffer the consequences of being listed as inactive on the Privacy Shield list. That withdrawal paperwork is also sent to the FTC for scrutiny, so there is an additional risk that you will come under the radar when you weren’t before.

So, what should you do? Wait and see? That isn’t my motto. I have more advice, including a questionnaire I put together to prepare your business for the fallout, but I ask you become a customer first. Please reach out to us at and we will set you up with a free trial and add the questionnaire to your account for your review. I will end this post with one last resource, which is Daniel Solove’s work in this area.

Good times.

Caroline McCaffery is the CEO & Co-Founder of ClearOPS, Inc., a B2B SaaS data privacy and cybersecurity company launched in October 2017. For companies with disparate privacy and cybersecurity processes, the ClearOPS privacy technology platform uses natural language processing and open source intelligence to enable actionable insights that build trust, mitigate breaches and liability and simplify compliance.