16/07/2020, the Court of Justice of the European Union (CJEU) has ruled to invalidate the Privacy Shield agreement.

This means, that from that date all transfers of personal data to the US that before relying on Privacy Shield are non-compliant.

There has not been given any grace period, but we will not expect any immediate action. However, from this point data controllers will need to find another legal basis for the transfer.

Secondly, the CJEU validated the use of standard contractual clauses (SCC), which is one of the other ways data controllers can obtain a legal basis for data transfers.

This however gives data controllers additional work and in some cases, a false sense of security as this requires the data controller to make an assessment of data protection levels of the transfer to the US.

What are the next steps

  • Find out what cookies share data outside of the EU

Data controllers must perform an assessment to ensure that the vendor that resides in the US maintains a level of protection that is essentially equivalent to the one guaranteed by the GDPR, in a country for which the CJEU has assessed that the data protection levels are not adequate.

  • Once you found them, contact the cookie vendors and ask them to switch to the use of SCC

It would be beneficial for data controllers to seek the options of SCC, as this can be a valid and simpler task for your legal team.

If not standard contractual clauses then what

If SCCs are not possible, here are the following approaches:

  1. The data processer stops the data transfer and lets the data stay within the EU.

  2. The data controller collects consent from the end-user to transfer the data to the US

  3. The data controller stops the data transfer by switching to another vendor.

Cookie Information gives to overview of the website's data transfer. By accessing the Compliance Dashboard, you can monitor data transfer for your website. This will be the stepping stone for anyone who wants to deal with the situation outlined above.


Easily visualize to what countries cookies on all of your domains send data, and locate potential privacy risks. The Compliance Dashboard updates daily and gives you an accurate insight into your website's cookies.

If you are already a client and you are curious about obtaining the professional Compliance Dashboard please write to us at customer@cookieinformation.com

Did this answer your question?