The EU-U.S. Privacy Shield is a framework that was developed by the EU and the U.S. to facilitate cross-border transfers of personal data for commercial purposes. The Privacy Shield requires participating companies, organizations and whistleblowing programs to abide by various data protection requirements and, in return, assures the participants that the transfer is compliant with EU law. It was spun out of the General Data Protection Regulation (GDPR) as a way to meet the regulation’s requirements. 


But on July 16, 2020, in a decision referred to as Schrems II, the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield. The complaint questioned whether the Privacy Shield and the Standard Contractual Clauses (SCCs) provided sufficient safeguards to personal information when it enters and/or leaves the EU. The court ruled that the Privacy Shield does not meet the GDPR’s standard and that SCCs only meet the standard sometimes.


The Schrems II ruling impacts personal data transfers between the EU and U.S. by considerably narrowing the manner in which data transfers can take place. Organizations now face a guidance that provides few workable solutions for international data transfers aside from a lengthy protocol for conducting risk assessments. 


“The biggest post-Schrems II risk to an EU-based company is not intentionally operating a server in the U.S. with GDPR-protected data,” says James E. Lee, chief operating officer at the Identity Theft Resource Center. “The real risk is of accidental or inadvertent data storage. Most companies of any size struggle to keep up with what data they store and where. Having a robust data management scheme reduces the risk of accidentally transferring or storing protected data outside the EU; and, if it does happen, allows you to quickly remediate the issue.”


Take, for example, the recent Bavarian DPA decision on the use of the U.S.-based Mailchimp. The supervisory authority of the German state of Bavaria was reported to have issued a decision that found the transfers of email addresses of EU subscribers by a German publisher to the email marketing platform to be unlawful. The publisher relied on the European Commission’s SCCs for its data transfers to Mailchimp. The Bavarian DPA explained that in the light of Schrems II, the publisher should have assessed whether any supplementary measures needed to be put in place in addition to the SCCs to ensure that the transferred data was protected from U.S. surveillance, but the publisher did not do so.

Now, imagine your European business is using a U.S. whistleblowing platform. Using the Bavarian DPA decision as a barometer, it’s clear that the sensitive data contained in whistleblowing reports — like whistleblower identity — could be compromised if data continues to transfer from Europe to the U.S. without supplementary measures in place. 

“Whistleblowing programs and procedures, by their nature, collect and store sensitive personal data on alleged victims, subjects and/or witness(es),” says Josh Wallenstein, managing member of The Wallenstein Law Group. “Because the Privacy Shield program is no longer valid, whistleblowing programs must adopt and employ one of the still-valid mechanisms for processing data outside of the EU and cross-border data transfers. (Still-valid mechanisms include Binding Corporate Rules, Standard Contractual Clauses and Intergroup Agreements between entities). Additionally, whistleblowing programs should require a party that initiates a report to provide explicit consent to the sharing of provided information across borders. Other aspects of the GDPR (and similar legislation) may result in additional changes to whistleblowing programs to ensure continued compliance.”


Risk assessments aren’t foolproof

According to a Nov. 19, 2020, JD Supra article, there is a six-stage process that the European Data Protection Board (EDPB) expects data exporters and data importers to follow when assessing and documenting their international data transfers and the risks to data subjects associated with them. 

Unfortunately, while the process seems straightforward, it’s more complicated than it appears on paper. The EDPB emphasized that transfers should be individually assessed, and the analysis needs to be documented in line with the accountability principle under the GDPR. Also, data exporters might be asked to produce their documented analyses to supervisory authorities — and possibly commercial partners — to address potential questions.


Check that your whistleblowing platform is compliant

Employing a safe and secure whistleblowing program at your organization is vital to the well-being of whistleblowing data, and the real people behind the reports. With the end of the Privacy Shield, check with your whistleblowing software provider to make sure they are staying compliant with the latest laws and regulations.


If your whistleblowing platform isn’t adopting and employing one of the still-valid mechanisms for processing data outside of the EU and cross-data transfers (listed below), it might be time to consider changing providers. Still-valid mechanisms include:

  • Binding Corporate Rules
  • Standard Contractual Clauses
  • Intergroup Agreements between entities
  • A third-party report that provides explicit consent to the sharing of provided information across borders


Whispli customers can feel safe knowing that European data is being hosted in Europe. If your provider doesn’t offer that option, Whispli can seamlessly help you migrate your data. Whispli operates data centers around the world in order to satisfy data residency requirements and is ISO27001 certified. Whispli has servers in multiple locations in Europe and offers multi-region hosting. This means that international organizations can host data for their American subsidiaries in the U.S. and data for their European subsidiaries in Europe without transferring any data between the two regions.  

Many U.S. companies have relied on the Privacy Shield for the legality of cross-border transfers of employee personal data, including in the context of their share-based programs. Whistleblowing data should remain safe, secure and compliant in this now-invalid Privacy Shield world, and Whispli is here to help should you need that peace of mind.