New Restrictions for GDPR data in the US – Updated

Disclaimer: We specialize in operationalizing data security and privacy requirements and work closely with security and privacy attorneys, but we are not attorneys.

The European Court of Justice ruled yesterday that Privacy Shield is not adequate to protect EU subject (resident) sensitive data that is transferred to the US.   While commercial privacy law like the California Consumer Privacy Act or the Illinois Biometric Privacy Information Act focus on protecting one’s personal information held or used by businesses. The focus of this judgement was protecting EU subjects from US government access to their personal information.   The court upheld the use of Standard Contractual Clauses but require the importer of the data, e.g., Facebook (the subject of the decision) in the US, to assess what additional measures need to be taken to ensure that the US government cannot access the sensitive data. Exclusions to those protections may exist if there are acceptable reasons including explicit consent by individuals, necessity for the performance of a contract, etc.

 This decision is significant for the thousands of businesses in the US that process EU personal information and must comply with GDPR.

Few options for US Businesses that need to comply with GDPR

After listening to some great webinars held by the IAPP, it appears that there is a short-term solution to move to Standard Contractual Clauses and try to make a case based on a risk analysis that the US government may not have an interest in using its surveillance capabilities to acquire EU citizen sensitive information.   And the FTC and many attorneys will recommend to take business decisions slowly on this subject.   But in the long-run, there only appears to be two options.

  1. Legally align the rights of individuals whose data is stored in the US (including US citizens and non-US citizens whose data is stored in the US with the rights of EU citizens.  This seems unlikely because of the view of national security interests in the US.
  2. Relocate the sensitive information to a country that has adequate protections for the rights of EU subjects.

The risk is high for businesses that store and process EU subject data.   Those residents have a personal right for legal action and can be represented in class action lawsuits.  Additionally, the business be fined up to 4% of revenue or $20 MM Euros for violations.

Here is the text of the ruling:

Here is a great webinar held by IAPP on the subject:


We specialize in Data Protection and Privacy operationalization.   But we are not attorneys.   We would be happy to provide referrals to legal experts in privacy law.


For a related articles see


opens in a new tab)