On July 7, 2020, the EU/US Privacy Shield was deemed invalid by the Court of Justice of the European Union (CJEU) as part of its ruling in Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems. In the simplest possible terms, this means that the transfer of European Personally Identifiable Information (PII), or data from which any specific European citizen can be identified, to the US is now illegal. It also means that around 60% of the companies transferring data out of the EU are breaking the law as we speak. But what was the Privacy Shield for, what does the fact that it no longer exists mean in practice to marketers, and what steps can companies take to ensure they stay on the right side of the law?

When it comes to data protection, a storm has long been brewing. First came worries about Alexa eavesdropping in people’s homes and recording conversations (in November 2018 a New Hampshire judge ruled that audio captured in the home of a murder victim could be used as evidence in court). Then the Cambridge Analytica-Facebook scandal broke, with data harvested off people’s Facebook accounts being used to drive political advertising, potentially affecting the U.S. election result. Consumers’ growing concern has led to harsh new data protection regulations – GDPR came into force in Europe on 25th May 2018, then the California Consumer Privacy Act became effective in the state on 1st January 2020.