SaaS Agreements – Data Protection – New EU-US Privacy Shield?

SaaS supplier and SaaS customers should be aware that discussions are currently taking place between the EU and US authorities in relation to a proposed new EU-US Privacy Shield.


Following the Schrems II judgement, of the European Court of Justice, which invalidated the EU-US Privacy Shield and the subsequent European Data Protection Board (“EDPB”) guidance on data transfers, SaaS customers and SaaS suppliers are required to carry out a data transfer assessment (“DTA”) prior to transferring any personal data from the EEA to a “third country” i.e. to a country which does not have an “adequacy decision” from the EU, for example, the USA.

New Proposed EU-US Privacy Shield 2.0

In the last few weeks, the European Commission has announced it is negotiating a new EU-US Privacy Shield with the USA. Once the text of the new EU-US Privacy Shield is finalised it will need to be approved by the European Commission and then reviewed by the EDPB before it can be granted an “adequacey decision” by the European Commission. If the new EU-US Privacy Shield is granted an “adequacy decision” it can be used instead of standard contractual clauses or BCRs as a valid transfer mechanism for data transfers to the USA without the need to carry out any DTA.

When can the EU-US Privacy Shield be used

Currently there is no published text for the adequacy process to be started.

This means that until an “adequacy decision” is issued by the European Commission the new EU-US Privacy Shield cannot be used as a valid transfer mechanism. This will take months to obtain, from the date that the final text of the new EU-US Privacy Shield is agreed between the EU and the USA.

Does version 2.0 Solve the Problem of Transfers to the USA?

In any event, even if the new EU-US Privacy Shield is granted an “adequacy decision” it can be assumed that the validity of the new EU-US Privacy Shield will be challenged in the European Court of Justice (by Mr Schrems). Such challenge is almost pre-programmed unless the USA changes its surveillance laws, which is unlikely.

Furthermore, regardless of the validity of the new EU-US Privacy Shield, many SaaS customers will simply not agree to use the new EU-US Privacy Shield, as was the case in the past for Safe Harbor and the old EU-US Privacy Shield. So the usual problems of data transfers to the US will probably not be resolved by a new EU-US Privacy Shield 2.0.

Further information on this issue will be published as the situation evolves.


Irene Bodle is an IT lawyer specialising in SaaS agreements, GDPR and cloud computing with over 15 years experience in the IT sector. If you require assistance with any SaaS or cloud computing contracts, GDPR or any other IT legal issues please contact me:

To register for my newsletter click here