Law 365's Microsoft fluent legal experts help Microsoft Partners grow their business through quick, affordable and accessible legal services.

Commercial Legal Services

Our experienced commercial lawyers have got you covered with expert advice, rapid contract review and timely negotiation.


Employment services and people development combined to create HAPPY 365 - designed to help you grow a happy workplace.

Top visited contracts and agreements

View our most popular contracts, where we break down legalese, and reveal the FAQs Microsoft Partners are asking us.

Helping Microsoft Partners grow with less risk

Inside the UK's Top Microsoft Partners

Microsoft Partner Insights Front Cover 350 x 483


3 min read

The end of the Privacy Shield. What do you need to do?

Featured Image

The end of the Privacy Shield. What do you need to do?

The Privacy Shield — that protects data transfer between the EU and the U.S. — is no longer valid because the EU deems the U.S. domestic laws (specifically national security laws) aren’t stringent enough to protect data.  Standards Contractual Clauses (SCCs) are still allowed, but using them as your Plan B may not be as simple as it seems.

Here, our Senior Associate, Jennifer Foxwell, explains the changes, how they will impact you and what you should do next.

Why is the privacy shield no longer valid?

Under EU laws, personal data can only be transferred to a country outside the European Economic Area (EEA) if that country provides an adequate level of data protection.
The EU-U.S. Privacy Shield imposed a framework under which personal data could transfer from the EEA to the U.S. It ensured that U.S. and European companies could comply with data protection requirements when transferring personal data from the EU (and Switzerland) to the United States.

U.S. companies were obliged to self-certify to the Department of Commerce and publicly commit that they were complying with the Privacy Shield’s requirements which imposed stringent obligations on such companies with regards to their handling of EU personal data.

The Court of Justice of the European Union (CJEU) decision to declare the Privacy Shield as invalid was primarily based on the fact that U.S. domestic laws, specifically national security laws were insufficient to protect EU personal data and there was the lack of adequate redress for individuals in Europe and the United Kingdom whose personal data is transferred to the U.S.

What now?

As CJEU decisions still apply to the UK during the Brexit transition period this will mean that UK to US transfers of personal data made under the Privacy Shield will no longer be valid. This will, of course, cause much uncertainty for UK companies who relied on the privacy shield to transfer their data to the U.S. Such companies must now look to other methods to ensure they are able to continue the transfer of data to the U.S.

Can I use Standards Contractual Clauses (SSCs) instead?

As part of the same ruling, the CJEU also decided that another data transfer mechanism, Standards Contractual Clauses, or SSCs, remain valid. The SCCs are non-negotiable contractual clauses that the European Commission has decided still offer sufficient safeguards on data protection for the data being transferred internationally. Binding corporate rules also remain unaffected but these are costly and require a lengthy process implement. Most companies will most likely therefore turn to SCC’s.

However, replacing the privacy shield with the signatory of SCC’s is not necessarily the quick fix to this. Simply putting the SCCs in place will be insufficient to meet the safeguarding requirements, as the CJEU’s decision has highlighted that parties that transfer personal data using SCCs must verify the level of protection in the third country before making any transfer. This puts the burden on establishing that the transfers are lawful on the data exporter. Data exporters will need to review of all of the circumstances of the data transfer to assess if the SCCs adequately protect personal data and refer areas of concern to their supervisory authorities. So far, such assessments are not subject to any guidance from data protection regulator as to what level of scrutiny they expect from businesses relying on SCC’s.

Next steps if you currently rely on the privacy shield

The decision of the CJEU does not mean immediate cessation on data transfers to the U.S. relying on the privacy shield. However, companies using this method will need to act quickly to implement alternative means to transfer data which, in most cases, will mean putting in place SCC’s.

Consequently, all contracts under which personal data is transferred will need to be reviewed if they rely on the privacy shield or SCC’s. This is not just pertinent to contracts involving personal data transfers to the U.S, as given the additional considerations required around the future use of SCCs this will affect all data transfers to any third country where adequacy is not provided where an organisation uses the SCCs as their data transfer safeguard.

Any reliance on the SCCs, must entail a company reviewing each data transfer on a case-by-case basis and documenting the assessment on whether the third country have the required protections in place in respect of meeting the standards that the EU expects.

What might this mean for the future

With the US adequacy decision being thrown out this does cast a shadow over whether the UK will be able to secure post-Brexit data adequacy decision. This makes it even more important for UK companies to ensure that the have in place SCC’s in any future contracts they make with the EU.

Fancy a natter about legal matters?

Are legal worries getting you down? Let the Law 365 team help you grow your business with less risk.

What makes us different?

  • We only work for Microsoft Partners, just like you.
  • We offer our services as a monthly subscription – so you can budget your legal costs for the year. No surprises.
  • We’re your  'in-house’ legal team, but we won’t bog you down in legal jargon.
  • We’ll work at your pace to get deals over the line. Fast.

Call us on 01892 313 943 or drop us a note at

Law 365 – The Award-Winning Microsoft Partner Law Firm

Enjoyed this article?

Read some of our other Insights.

4 min read

Repeal of the IR35 reforms, WTF - Will This Fail?

Shock, joy, concern... You may have experienced a wide range of emotions following Chancellor Kwasi Kwarteng’s...
2 min read

Inflation and price increases – What protection is there for Microsoft Partners?

How is inflation impacting Microsoft Partners? Everyone is talking about the rate of inflation, which is increasing...
4 min read

Kim Simmonds sweeps awards for her visionary leadership

Wow! What a bumper year it's been for awards for Law 365! The competition was fierce, so there is so much to be proud...
Discover more insights