Privacy Shield declared invalid

The Court of Justice of the European Union ruled that the Privacy Shield data-sharing agreement between the United States and the European Union was invalid. If you worry about the privacy of your data, you should ask yourself if you should use American cloud solutions. We explain why.

Why was the Privacy Shield agreement repealed?

The Privacy Shield was an agreement between the United States and the European Union on how U.S companies handle European users’ data. Simply put, the Privacy Shield prevented American Companies from sharing European Citizens’ data. The CJEU struck down the Privacy Shield program because the privacy protection measures were “inadequate”.

The decision comes as part of the ruling for the ongoing Facebook v Schrems case, in which Max Schrems highlights issues with data privacy.

privacy shield declared invalid by european court

What are the consequences?

With this decision, the CJEU clearly states that US surveillance laws violate EU fundamental privacy rights. One of the issues is that the US limits most protections to American citizens, leaving the data of foreign customers unprotected. This applies not only to solutions such as Office 365, Google G Suite, or Dropbox, but also American companies that manage your website, CRM, and administration.

“CJEU clearly states that US surveillance laws are in conflict with EU fundamental privacy rights”

The court’s decision makes it difficult for US cloud services to position themselves as a secure solution to store and share sensitive data. Many businesses, schools, and governmental agencies still rely on solutions such as Office 365 and Google G Suite. This makes these organizations vulnerable to heavy fines under the GDPR.

US Cloud services are not GDPR Compliant

While these solutions are an indispensable part of our lives, several countries have previously pointed out privacy issues that services such as Office 365 have. Germany has already stated that the use of Office 365 in schools is illegal because it violates privacy law. The Dutch government recently uncovered many GDPR violations in an extensive review of Office 365.

It is not the first time the EU court declares a shared data agreement between the US and the European Union as invalid. In October 2015 the Safe Harbor agreement was also deemed insufficient to protect EU citizens’ privacy rights. It was soon replaced by the Privacy Shield agreement which as you have read is incompatible with EU Privacy Law.

Do you use a US-based (cloud) solution?

If you currently use a cloud service such as OneDrive, Dropbox, or Google Drive you may not be GDPR compliant. Even if you signed a data processing agreement, your files could be processed in the US. This means that you cannot guarantee to your clients that your data is 100% GDPR compliant.

How do I know if my solution is hosted on American soil?

  • Find where the company is located
  • Find out where that company hosts its servers

If this information is difficult to find you can at least check where the website is hosted.

The best way to tackle this is to make sure you know exactly where your data is stored. Choose a cloud platform that stores your data in Europe. If you need help protecting your data, we are available to advise and help you find the right solutions.

vBoxx only recommends solutions that are stored in the Netherlands and fully compliant with the privacy rules of the GDPR. We offer free consultations if you need advice about storing your data on a secure platform. Feel free to call us at 070 – 206 00 91 or send an email to

Leave a Reply

Your email address will not be published. Required fields are marked *