🆕 Are hidden website trackers putting your brand at risk? Find out now! 🔎

Is Privacy Shield required for GDPR?

In a ruling made by the European Court of Justice last year, the Privacy Shield policy between the United States and the European Union was nullified. The decision had farther-reaching consequences than most people expected, especially regarding data protection in Europe.
Read time
5 min read
Last updated
May 10, 2024
Ketch is simple,
automated and cost effective
Book a 30 min Demo

In a ruling made by the European Court of Justice last year, the Privacy Shield policy between the United States and the European Union was nullified. The decision had farther-reaching consequences than most people expected, especially regarding data protection in Europe.

Understanding The EU-US Privacy Shield

Based on the regulations brought forth by the GDPR, only data transferred within the EEA (Norway, Iceland, and Lichtenstein) and the European Union was to be considered unproblematic.

However, supposing personal data happened to be transferred to a third country, the GDPR requirements state that there should be a comparable level of data protection in the recipient country.

This was known as the Privacy Shield statute. In more standard terms, it was an agreement between the EU and the US designed to ensure the enforcement of this new level of data protection and replace the Safe Harbor regulation that was in place earlier but had been invalidated.

This meant that even without the Privacy Shield, one would be allowed to receive personal data from the EU without additional legal measures.

Transfer Of Data To Third Countries

When it comes to GDPR and marketing, the transfer of data to third countries can only occur under the following conditions:

  • The transfer has to take into consideration the EU adoptions made to serve as adequacy decision parameters for countries such as Canada, Israel, Switzerland, Japan, Uruguay, Argentina, Faroe Islands, Isle of Man, Andorra, and New Zealand.
  • There has to be the presence of a legally binding agreement between authorities similar to the now invalid EU-US Privacy Shield.
  • There has to be a set of binding data protection rules and regulations within one or more companies.
  • One has to apply the standard data protection clause adopted by the commission, which aligns with the examination procedures referred to in Article 93 (2).
  • Adopt the code of conduct recommended by the supervisory authority.

One of the main advantages of the Privacy Shield was that it worked like an adequacy decision parameter. This meant that businesses could process the data without any more legal hurdles.

What Invalidating The EU-US Privacy Shield Meant

The decisions made by the European Court of Justice impacted various sectors of the marketing world, in particular, the internet. A wide range of online platforms such as Facebook, Twitter, Youtube, Google Maps, Social Plugin, and Google Analytics were all under US companies that had adopted the Privacy Shield.

If e-commerce website users implemented these new parameters, then data transfer to the USA could be possible. By nullifying the Privacy Shield, using e-services is no longer regulated by the privacy treaty that existed between the EU and the US.

Some Of The Alternatives To The Privacy Shield

If a destination country doesn’t have the right level of data protection, then any transfer of information has to be legitimized using other relevant safeguards. If the data subject gives their consent, then the transfer is possible.

However, it is essential to state that the permission needs to be understandable, voluntary, and revocable. This means that it is not enough to inform the subject about data transfer in your privacy policy.

They have to be provided with all the relevant information, and consent must be given before any transfer takes place. Data privacy software might be helpful in this regard.

Conclusion

Operating a website without any external content is next to impossible in today’s highly competitive market. However, to comply with the GDPR, it is a must that websites legitimize all their data transfer.

Ever since the nullification of the Privacy Shield policy, it has become a necessity for businesses and marketing departments to align with the requirements.

Read time
5 min read
Published
October 15, 2021
Need an easy-to-use consent management solution?

Ketch makes consent banner set-up a breeze with drag-and-drop tools that match your brand perfectly. Let us show you.

Book a 30 min Demo

Continue reading

Product, Privacy tech, Top articles

Advertising on Google? You must use a Google certified CMP

Sam Alexander
3 min read
Marketing, Privacy tech

3 major privacy challenges for retail & ecommerce brands

Colleen Barry
7 min read
Marketing, Privacy tech, Strategy

Navigating a cookieless future with Google Privacy Sandbox

Colleen Barry
7 min read
Get started
with Ketch
Begin your journey to simplified privacy operations and granular data control across the enterprise.
Book a Demo
Ketch was named top consent management platform on G2