Content Marketing | Digital Compliance | GDPR

Data protection will be complicated again: EU/US Privacy Shield declared ineffective

Last Thursday the European Court of Justice declared the EU/US Privacy Shield, which regulates the secure transfer of personal data to the USA, to be ineffective. This has a direct impact on your digital marketing activities.

What is the EU/US Privacy Shield?

According to the European General Data Protection Regulation (GDPR), personal information may only be transferred to countries with equivalent data protection laws as those of the EU. The EU determines these countries with an Adequacy Decision. The USA is not one of these countries. For this reason, the EU/US Privacy Shield was created: An informal agreement allowing American companies to obtain certifications confirming that they comply with the basic principles of the GDPR.

This made it possible to send data to these companies as if they were in a country that had been granted an Adequacy Decision by the EU.

Almost all of the American companies that are active in online marketing in Europe have implemented the EU/US Privacy Shield.

What Does this Mean for my Online Marketing?

The transfer of personal data to companies and online tools in the USA is basically no longer possible. A quick reminder: IP addresses, email addresses, cookies/IDs are considered as personal data. Some examples of affected tools/companies are:

  • Google
  • Facebook
  • HubSpot
  • Marketo
  • LinkedIn
  • Twitter
  • Adobe
  • YouTube
  • Mail Chimp
  • Microsoft
  • Campaign Monitor

What Should I Do Now?

  • Check which of your tools and platforms are affected.
  • Modify your privacy policy and remove the references to the EU/US Privacy Shield.

The following options are available (and can be combined):

  • Do nothing, wait and see what happens
    Although it involves risks such as legal warnings, intervention by data protection authorities, and, in the worst case, fines, this is could be a temporary option due to the current uncertainty.
  • Use EU servers
    Use EU servers if tool providers offer this option.
  • Work with EU suppliers
    If there are equivalent suppliers in the EU, work with them in the future.
  • Contracts and standard contractual clauses
    Review contracts with suppliers and ask for standard contract clauses. These are already used if personal data needs to be transferred to other countries which have not been granted an adequacy decision by the EU.
  • Get user consent
    Always ask for user consent, for example for filling out a form on the website. Depending on the marketing tool, the consent for transferring data to the USA can also be integrated into the cookie management solution.

What happens next?

Hopefully, the EU and the US will find a solution as soon as possible. However, this may be difficult due to the current trajectory of US foreign policy. On the other hand, US companies will put pressure on the government and may develop their own solutions. It is recommended to closely monitor the development and further court decisions.

Amazee Metrics offers support and consulting for data protection in online marketing. We would be happy to advise you on your individual setup.

We cover a broad range of GDPR topics, read more.

Subscribe to our newsletter and be up to date.