After the introduction of GDPR in 2016, it was clear that EU data transferred to countries outside of the European Union was at risk. In an attempt to provide sufficient protection, and to allow the transfer of personal data to the United States, the US Department of Commerce and the European Commission devised the EU-US Privacy Shield. From 1 August 2016, EU companies were finally able to work with US vendors without compromising their GDPR obligations.

Four years later, in July 2020, the Court of Justice for the European Union judged the European Commissions decision on the Privacy Shield to be unlawful and that the EU–US Privacy Shield was insufficient to ensure the protection of EU personal data. However, the court did confirm that Standard Contractual Clauses (SCCs) are a valid mechanism for the transfer of data from the EU to the US.

SCCs are standard sets of contractual terms and conditions agreed by both the sender and receiver of data. They contain contractual commitments to help protect personal data, and the GDPR obligations when it leaves the EU.

We at Dotdigital have never relied solely on the EU-US Privacy Shield. Whereas we do continue to maintain US Privacy Shield certification, we have also entered into contracts with organisations to make sure that we safeguard all personal data. We have Data Processing Agreements that reflect the obligations under the GDPR, passing down the measures of the EU Model Contract Clauses to make sure that all customer data is protected.