On July 7, 2020, the EU/US Privacy Shield was deemed invalid by the Court of Justice of the European Union (CJEU) as part of its ruling in Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems. In the simplest possible terms, this means that the transfer of European Personally Identifiable Information (PII), or data from which any specific European citizen can be identified, to the US is now illegal. It also means that around 60% of the companies transferring data out of the EU are breaking the law as we speak. But what was the Privacy Shield for, what does the fact that it no longer exists mean in practice to marketers, and what steps can companies take to ensure they stay on the right side of the law?
