EU-US Privacy Shield Invalidated: Now What?

Written by Lindsay McGuire on July 30, 2020

Posted in Uncategorized

As of Thursday, July 16, the Court of Justice of the European Union invalidated the EU-U.S. Privacy Shield.

The EU-U.S. Privacy Shield is a system for complying with EU data protection requirements when transferring personal data from the European Economic Area (EEA) to the U.S. It is used by over 5,000 companies as the legal basis to transfer personal data from the EU to the U.S.

As a company that focuses on data collection, we want to provide context on why this ruling happened, how it impacts organizations, and what Formstack customers need to do now.

long form tipsNo time to read? If you are a Formstack customer who collects data from residents of the EEA, you need to sign our Standard Contractual Clause to ensure your compliance with the recent ruling.


Why has the EU-U.S. Privacy Shield been invalidated?

Since 2016, the Privacy Shield has served as the seal of approval for data protection and compliance for organizations sending data from EEA residents to the U.S. It was enacted when the Safe Harbor law was invalidated.

Organizations self-certify with the U.S. Department of Commerce to commit to the Privacy Shield’s 7 Principles. But on July 16, the usage of the Privacy Shield was revoked by the Court of Justice of the European Union. The court ruled that the Privacy Shield did not provide adequate protection for the personal data of EU citizens.

The court feels that the Privacy Shield does not guarantee the same broad privacy rights and protections that EU residents have under the GDPR, specifically when it comes to actionable rights before U.S. courts against U.S. authorities. There are also concerns about U.S. government surveillance laws.

Related: Learn More About Formstack’s GDPR Compliance

According to the law firm Jones Day, the court decided that, “the EU–U.S. Privacy Shield does not include satisfactory limitations in order to ensure the protection of EU personal data from access and use by U.S. public authorities on the basis of U.S. domestic law.”


What does the EU-U.S. Privacy Shield ruling mean?

Any company that transfers personal data from the EU to the U.S. must find alternative data protection measures now that the EU-U.S. Privacy Shield has been invalidated. At this point, the court has not provided a grace period which means EU Data Protection Authorities can start investigating violations immediately. If they determine noncompliance with the new ruling, it could result in fines or other actions.

JDSUPRA reports that, “With the invalidation of the Privacy Shield adequacy determination, companies seeking to transfer personal data from the EEA to the U.S. — or transfer EEA-originated personal data onward within the U.S. — must now use other mechanisms recognized by the GDPR to appropriately safeguard personal data, such as standard data protection clauses or binding corporate rules.”

Learn More: Data Security at Formstack


How This Impacts Formstack Customers

Formstack relied on Privacy Shield to validate data transfers from the EEA. Now, Privacy Shield is no longer a valid legal way to transfer data from the 30 countries of the EEA to the U.S. Although this recent ruling voids the Privacy Shield, our product still offers the same level of data encryption, security, and protection as always.

Formstack is dedicated to providing secure data collection, storage, and sharing to our customers. Luckily, we have a Standard Contractual Clause (SCC) customers can sign to ensure they are adhering to the recent court ruling.

The European Union adopted a set of Standard Contractual Clauses (SCC) to govern the transfer of personal data to countries that are not recognized as providing adequate protection measures for this type of personal data processing. SCCs are considered a way to offer sufficient safeguards for international data transfers under Article 46 of the GDPR.

The CJEU indicated that companies must perform an analysis to determine if SCCs would provide an adequate level of protection for EU data transfers. Formstack’s analysis found that SCCs can be used as an alternative mechanism for EU data transfers, in part due to Formstack’s security measures and safeguards in place.

View our Privacy Policy


What Formstack Customers Need to Do

If you are collecting data from EEA residents, you need to sign our SCC as soon as possible to ensure your organization is adhering to the Court’s recent Privacy Shield ruling. Signing our SCC will allow you to continue transferring data in accordance with GDPR security regulations.

Once you have signed, you will receive a copy of the SCC immediately in your inbox. We will keep all customers informed as any other changes arise from the recent ruling.

We are dedicated to providing you the best data collection tools with the built-in data protection you need. We are devoted to the security and privacy of your information, and will keep you up-to-date on compliance or regulation changes. As an international company, we are always focused on complying with privacy practices globally.

Please Note: The information above is not official legal advice. For expert guidance on legal matters, you’ll need to consult an attorney.


If you’re a Formstack customer currently collecting data from EEA residents, please sign this SCC to ensure your data collection adheres to the current Court of Justice of the European Union ruling.

Sign Our SCC