EU-US privacy shield now illegal – are your cookies sending data to the US?

Data transfers from the EU to the US are no longer valid under the Privacy Shield agreement. If you use American based services like Google Analytics or Facebook, then the EU Court’s decision also applies to your website. Here’s how to check if your website sends data to unsecure third countries and the US.

You may have heard.

On July 16, 2020 the European Court of Justice (CJEU) declared the EU-US Privacy Shield invalid.

But what does that really mean for you if you use third-party cookies on your site? And how can you check if these cookies send data from the EU to the US?

Questions about your Cookie Information Solution and Privacy Shield? Or are you looking for a professional Cookie Consent Solution which can monitor data transfer to unsecure third countries?

Then contact us at Cookie Information – contact us

What does the Privacy Shield invalidation mean for you?

It means that you can no longer rely on the EU-US Privacy Shield agreement for any transfers of personal data from the EU to the US.

It means that you need to find other appropriate safeguards for transferring data to the US.

And it means that you should determine which cookies on your websites are sending personal data back to their US based owners.

What should you do now?

First of all, if you use any type of software, cloud service, or cookie setting service on your website which shares data with its US based provider, the CJEU decision applies to you.

Looking specifically at website cookies, it’s important to first get an overview of the cookies your website places on your users’ computers.

This can be your own (first-party cookies) but they can also come from programs, add-ons and services you use on your website, e.g. Google Analytics, Facebook Pixel, social media share/like buttons etc.

When you know exactly where all those cookies send data, you can decide whether to use SCC for data transfers or stop using the US based services.

How can you monitor which cookies send data to the US?

Cookie Information has developed a tool to monitor where your website cookies send data to.

With our Compliance Dashboard, you can easily get an overview of all your cookies on all your websites. You can get insights on illegal data transfers and act on them.

If you are looking for a consent solution which is both GDPR compliant and gives you insights into data transfers which pose a compliance risk to your company, don’t hesitate to contact us.

Why can’t you transfer data to the US with Privacy Shield any more?

It all started with an Austrian lawyer who in 2013 complained to the Irish Data Protection Authority that Facebook Ireland transferred his personal data to the US for processing.

The lawyer, Schrems, was not satisfied that his personal data was not protected from the substantial surveillance of the US authorities.

So, after the European Court of Justice (CJEU) in 2016 declared the Safe Harbor to be an invalid data transfer method, the European Commission approved Privacy Shield as a replacement for data transfers between the EU and US.

However, the CJEU has now ruled that Privacy Shield is not a valid mechanism for data transfers between Europe and the United States of America.


Because American-based data processors cannot guarantee that data will not be subject to US surveillance. The US does not provide EU residents the level of protection that is required in the GDPR.

In the same act, the CJEU approved Standard Contractual Clauses to be valid for data transfers, yet it’s still unclear whether this alternative transfer mechanism can be used since the US authorities continue to have the same access to EU citizens’ personal data.

Also, it will not be sufficient merely to use the Standard Contractual Clause (SSC) as a method of data transfers between EU and US and go about your business.

Data controllers, i.e. website owners, need to conduct in-depth due diligence in relation to security standards adopted by the US-based data importer and make sure the privacy laws in the third country secure EU citizens’ data the same way as the GDPR.

The European Commission is reviewing the Standard Contractual Clauses (SSC) and we expect a clarification on data transfers to the US will be forthcoming. Until that point, using the current SCC can be risky and you need to assess the risks of sending personal data to the US.