The Fall of the Privacy Shield – What next? The ICO and the EDPB have different approaches

July 26, 2020
|In Data Protection
|By Kate Grimley Evans

The decision of the European Court of Justice in Case C-311/18 – Data Protection Commissioner v Facebook Ireland and Maximillian Schrems struck down the EU-US Privacy Shield with immediate effect. This caused gasps of horror in the data protection world and more widely as people realised just how significant this judgement was and just how often the Privacy Shield was the mechanism under which personal data was being transferred to the US. Initial articles on the subject sometimes mentioned using Standard Contractual Clauses (SCCs) instead as they appeared to have survived the Court’s scrutiny. Then there was the slow recognition that there were serious question marks over the use of SCCs as US law does not ensure an equivalent level of protection for personal data.

Such were the repercussions of the judgement and the many questions being asked that on 23 July the EDPB (European Data Protection Board) adopted a set of Frequently Asked Questions (FAQ). These are helpful to a point but by no means provide any real answer to the problems caused by the judgment. What is most interesting is the stark contrast between the EDPB’s approach and that of the ICO. The EDPB FAQ document says of the Privacy Shield, ‘Transfers on the basis of this legal framework are illegal’.  However, a visit to the Privacy Shield page of the ICO website reveals a statement as follows:

‘We are currently reviewing our Privacy Shield guidance after the judgment issued by the European Court of Justice on Thursday 16 July 2020.If you are currently using Privacy Shield please continue to do so until new guidance becomes available. Please do not start to use Privacy Shield during this period’

However, continuing to use the Privacy Shield carries risks, even if one assumes that there is no risk of ICO enforcement while the ICO statement remains as above. For example, individuals could bring claims for compensation.  The ICO has not mentioned this but the Berlin Data Protection Authority has referred to it in a press release (which is only available in German) and has also told organisations in Berlin to shift their data storage from the US back to Europe.

IMPORTANT UPDATE: On 27th July 2020, the ICO changed its statement on its website to read:

‘The judgment in the Schrems II case issued by the European Court of Justice on Thursday 16 July 2020 found that Privacy Shield is no longer a valid way to transfer personal data outside of the EEA. For more information please read our latest statement.’

This statement brought it into line with the EDPB.

Privacy Shield Schrems
Share this

Kate Grimley Evans

Managing Director
If you have any questions about this, or any other related topic then please do
Contact Kate

©2025 Kate Grimley Evans Ltd. Powered by HomeTechWorks.
Kate Grimley Evans Ltd is a limited company registered in England and Wales with company number 12146367, the registered office of which is at 9 Quy Court, Colliers Lane, Quy, Cambridge CB25 9AU.
Please note that although Kate Grimley Evans is a qualified solicitor, the services she provides through this company are provided in her capacity as a consultant and not in her capacity as a solicitor. Kate Grimley Evans Ltd is not a law firm and is not regulated by the Solicitors Regulation Authority (SRA).

Privacy Policies
Contact Kate
Click here

Privacy Preference Center

Privacy Preferences