Newsletter2Go's had a new name since 14 April 2020: Sendinblue. Learn more   Log into Newsletter2Go
July 21, 2020

EU-U.S. Privacy Shield Invalid: What Does This Mean For Email Marketers?

Reading time about 8 min

On July 16 2020, the European Union Court of Justice ruled that the EU-U.S. Privacy Shield agreement is invalid. Wondering what the EU-U.S. Privacy Shield was and how this news impacts your business? You’ve come to the right place.

This article will explore:

  • A brief history of the EU-U.S. Privacy Shield and how it worked  
  • The legal debate surrounding transatlantic data transfers
  • What the invalidation of this agreement means for your business and in particular, your email marketing

Data Privacy Between the EU and the U.S. – a Never-Ending Story?

When the EU’s General Data Protection Regulation, GDPR, came into force in May 2018, it brought into focus the stark divide in how the U.S. and the EU handle data privacy.

Since then there has been much debate between the U.S. and EU about how citizens’ personal data should flow between them.

As U.S. Secretary of Commerce Penny Pritzker, who originally negotiated the Privacy Shield Pact in 2016, explains, the U.S. and the EU have fundamentally different ideas of what constitutes privacy when it comes to people’s information.

In the U.S., there are sectoral laws in place. These govern, for example, how personal information is handled in the health care and credit industries. Lawmakers in the EU, in contrast, consider privacy an inalienable right across all sectors.

As of July 2020, the data protection agreement known as Privacy Shield has been declared invalid as it does not meet the requirements of EU data protection laws.

So, what is the EU-U.S. Privacy Shield and how did it come into being?

A Quick History of EU-U.S. Data Protection Pacts

1. It all started with Safe Harbor

Before the EU-U.S. Privacy Shield Pact went into effect in 2016, Safe Harbor regulated the exchange of personal data between the U.S. and the EU. This data-sharing framework agreement entered into force in 2000.

It established what should happen to individuals’ personal information when it crossed transatlantic borders. Personal information means details such as birthdays, contact information, and ID numbers. Safe Harbor applied to U.S. companies like Facebook and Mailchimp.

Safe Harbor, however, was repealed in October 2015 by the European Court of Justice.

2. Creation of the EU-U.S. Data Privacy Shield

The EU-U.S. Privacy Shield, which was negotiated in 2016, was welcomed as having many improvements over Safe Harbor.

Even though it had its detractors, Privacy Shield was initially well regarded on both sides of the Atlantic when it came into force in August 2017.

Things became a little tricky, however, when ombudspersons had to be sent out for inspection, both in the EU and in the USA. And the appointment of an ombudsperson became a big point of contention between the U.S. and the EU.

How the EU-U.S. Privacy Shield Worked

Privacy Shield worked through a self-certification process.

U.S. companies can apply for certification that will allow them to process personal data from the EU through the U.S. Department of Commerce. They must recertify annually.

Even though participation is voluntary, once a company commits to the Privacy Shield Principles, these principles will be enforced by the U.S. Federal Trade Commission or the U.S. Department of Transportation.

The U.S. Departments of Commerce maintains an up-to-date list of self-certified companies. As of July 2020, over 5,000 U.S. organizations were registered on the EU-U.S. Privacy Shield list.

3. Privacy Shield: A subject of intense debate

In recent years, politicians on both sides of the Atlantic have found cause for concern when it comes to transatlantic data transfer.

The U.S. administration expressed dissatisfaction in May 2018 with the stipulations of GDPR. When the regulation came into effect, U.S. Secretary of Commerce Wilbur Ross critiqued GDPR. He claimed it would be able to “significantly interrupt transatlantic co-operation and create unnecessary barriers to trade.

On the other side of the pond, European politicians and activists have found many points to critique, especially in light of events like the Facebook-Cambridge Analytica data breach.

Both Facebook and Cambridge Analytica were self-certified under Privacy Shield. Many Europeans found this scandal a reason to review Privacy Shield’s self-certification process.

According to Austrian privacy lawyer Max Schrems (famous for taking down Safe Harbor in court), Privacy Shield was inadequate. In his view it didn’t protect Europeans’ data from the long digital arm of U.S. intelligence agencies.

In 2018, Schrems brought a case to the Irish High Court to challenge Facebook’s use of standard contractual clauses (SCC) to transfer personal data to the US.

4. July 2020: Privacy Shield is struck down

On the 16th of July 2020, following the Schrems case, the European Court of Justice ruled the EU-U.S. Privacy Shield to be invalid. This is because it doesn’t adequately comply with EU data protection laws.

The following message was displayed on the Privacy Shield official website:

“On July 16, 2020, the Court of Justice of the European Union issued a judgment declaring as “invalid” the European Commission’s Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-U.S. Privacy Shield. As a result of that decision, the EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. This decision does not relieve participants in the EU-U.S. Privacy Shield of their obligations under the EU-U.S. Privacy Shield Framework.”

What Does This Mean for Businesses?

Now that Privacy Shield has been deemed invalid, companies wishing to transfer personal data from the European Economic Area to the USA must use other GDPR-compliant mechanisms to protect personal data (source). 

Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) are examples of such mechanisms.

How does it affect Email Marketing?

If you are a European company working with U.S. email marketing software, it’s a good time to reconsider your provider. Ditto if you’re an American company who uses email marketing and has European customers.

Following the July 2020 ruling, we know that the Privacy Shield is not GDPR compliant. It fails to protect European residents from U.S. intelligence agencies, which is a big concern. 

Play It Safe: Email Marketing According to EU Law

Choose a European email marketing provider and you won’t have to worry about being in violation of GDPR. With servers located in Europe, a strictly enforced anti-spam policy and our software’s GDPR compliance, Sendinblue puts you on the safe side of email marketing.

Good news: you can test-drive Sendinblue for free. Our forever free plan lets you store unlimited contacts and send up to 300 emails/day. Try it today.

But it’s not enough just to use our software. Here’s what you should do to make sure you are 100% GDPR compliant:

  • All contacts must agree to receive promotional email from you. You can obtain this consent via a double opt-in sign-up process.
  • Always state what personal information you are collecting from contacts and exactly how you are using this.
  • If there are third parties, such as Sendinblue, processing your contacts’ personal information, ensure that the privacy policy is GDPR compliant.
  • Your data protection policy (data privacy statement) should always be available. It’s best if it’s linked in the registration form.
  • Let your newsletter subscribers know they can unsubscribe at any point. Make sure to include an unsubscribe link in every email.
  • For full transparency, include a legal notice or site notice in your footer. Under EU law, this should include registered company information.

👉 Check out our GDPR checklist for more information.

What’s next for EU-US data transfers?

The story continues.

Now that Privacy Shield has been overturned, U.S. data protection policies have once again been brought into disrepute. 

It’s unclear for now what’ll happen next and whether a new agreement can be reached.

In any case, we’ll keep you up-to-date on any new developments that arise. Follow us on Twitter to make sure you don’t miss out.

Ready to find your marketing zen?

Take the stress out of your work day with a solution that’s built for you!

Get started free