Invalidation of the EU–US Privacy Shield: impact on data protection and data security regarding the transfer of personal data to the United States

Abstract

The Court of Justice of the European Union has attracted international attention with its ruling, in which it declared the EU–US Privacy Shield invalid. Many companies have a connection to the United States, whether through service providers or affiliated companies. Data exporters and data importers are still wondering whether and how they can manage the transfer of personal data to the United States in accordance with European data protection laws. The national German data protection authorities have already published general recommendations for action, but these did not provide any remedy either. In November 2020, the European Data Protection Board published recommendations on measures to complement the transfer tools to ensure compliance with the European level of protection of personal data. The following article presents these recommendations and focuses on data security measures that play a major role in the future transfer of personal data to the United States.