EU - U.S. Privacy Shield

    United States of America (USA)

    EU - U.S. Privacy Shield

    C(2016) 4176

    On 6 October 2015, the Court of Justice of the European Union (CJEU) issued a decision invalidating the adequacy status of the EU-US Safe Harbour. In response, a new mechanism denominated Privacy Shield became operational on 1 August 2016 after the European Commission formally issued its decision that the Privacy Shield provides an adequate level of protection.

    Last Updated: July 24, 2019


  • General

    The Privacy Shield is a self-certification mechanism created to ensure that the transatlantic transfer of personal data between the EU and the US is subject to adequate safeguards that can guarantee that recipients of personal data located in the US are able to satisfy the requirements of EU data protection legislation. The Privacy Shield is founded on seven principles that companies have to demonstrate compliance with: notice, choice, accountability for onward transfer, security and integrity, purpose limitation, access, and recourse (enforcement and liability). The Principles were developed by the US DoC in consultation with the European Commission, and with other stakeholders, to facilitate trade and commerce between the EU and the US. These principles are intended to be used solely by organisations in the United States receiving personal data from the European Union.

    Having appropriate safeguards in place to guarantee the protection of personal data is quite relevant in the age of the global digital society, where the cross-border flow of data is of critical importance for international trade. According to research published in 2017, on the policy portal of the Centre for Economic Policy Research (that can be consulted here), in 2017 approximately 12% of physical trade of goods was conducted resorting to e-commerce, and around 40% of imports and exports in Europe take place on digital platforms. By 2014, a study (that can be consulted here) concluded that transatlantic data transfers between the EU and the US were the largest worldwide.

    Even though great volumes of data are transferred internationally, the processing operations conducted are subject to national and regional laws of the jurisdictions where data controllers and processors are established. For example. Whereas the processing of personal data concerning data subjects located in the EU is regulated by the GDPR (and complemented by Member State legislation), once such information is transferred to a controller or processor established in a third country, the processing of personal data in that third country will be subject to a different legal framework.

    In this context, the GDPR stipulates that the protection of personal data of natural persons should not be undermined resulting from cross-border flows. For this reason, international data flows from and to the EEA are only considered lawful if (a) data are transferred to a jurisdiction that is deemed by the EC to provide an adequate level of protection; (b) in the absence of an adequacy decision, the transfer is subject to appropriate safeguards and mechanisms (i.e. a legally binding and enforceable instrument between public authorities or bodies, BCRs, standard data protection clauses adopted by the EC, an approved code of conduct, or adherence to an approved certification mechanism); and, (c) the transfer falls within one of the exceptions listed in Article 49 of the GDPR, which, cannot be relied upon for systematic and regular business transactions.

    There are only a dozen jurisdictions that have been afforded an adequacy decision by the EC, and the US is not one of them. This is largely due to the fact that the EU and the US have a fundamentally different approach to guaranteeing privacy and ensuring the protection of personal data. On one hand, the EU considers privacy and the protection of personal data to be fundamental rights (Articles 7 and 8 the EU Charter of Fundamental Rights). In the EU, the processing of information that reveals characteristics attributable to a natural person is only lawful if it complies with the basic principles and requirements laid down in the GDPR. The US on the other hand broadly enshrines the right to privacy in their Constitution, and the general approach is more lenient, for instance: the processing of personal data in the US is generally permitted so long as it does not cause harm or is not expressly prohibited by US Law. Since 1995 policymakers on both sides of the Atlantic have been aware that these fundamental differences had the potential of disrupting the EU-US trade and investment relationships.

    In response to this challenge, the European Commission has sought to negotiate an ad-hoc mechanism with their US counterparts with the aim of extending the reach and consistency of the protection afforded to the personal data of individuals located in the EU who have their data transferred to the US. In 2000 both sides of the Atlantic agreed on a mechanism that would allow US entities to meet the adequate level of protection required by EU legislation. This mechanism was known as the Safe Harbour. The Safe Harbour was afforded an adequacy decision by the EC, which meant that entities that adhered to Safe Harbour were considered to have appropriate data protection safeguards in place. Nevertheless, the Safe Harbour mechanism was riddled with challenges from the beginning.

    On 6 October 2015, the CJEU issued a decision invalidating the adequacy decision issued in favour of the Safe Harbour mechanism (in Schrems v Data Protection Commissioner). In this decision, the CJEU expressed several concerns, most notably, that this mechanism enabled the US authorities to interfere with the fundamental rights of the persons whose data is transferred from the EU to the US, pursuing their legitimate objective of safeguarding national security. The CJEU noted that the Safe Harbour Agreement did not have sufficient checks and balances intended to limit interference(s) with the fundamental rights to Privacy and the Protection of Personal Data.

    Following the CJEU decision in Schrems v Data Protection Commissioner, the Article 29 Working Party (A.29 WP) called on the EU to continue discussions with the US DoC in order to find suitable legal and technical solutions to enable data to flow across the Atlantic without undermining respect to fundamental rights. On 16 October 2015, the A.29 WP set a deadline of 31 January 2016 for both sides to reach an adequate agreement to replace Safe Harbour. Two days after the deadline, EU and US officials announced their agreement on a new mechanism: the Privacy Shield. This initial agreement was revisited through the first half of 2016 in order to address some concerns raised by the A.29 WP around a lack of redress mechanisms, the ongoing ability of the US authorities to engage in mass and indiscriminate collection of personal data, and the apparent lack of independence of the ombudsperson.

    After further negotiations, the Privacy Shield was afforded an adequacy decision by the EC and formally began operations on 1 August 2016. Under this Agreement, US businesses subject to the competence of the FTC or the DoT are eligible to adhere to the Privacy Shield. This ample spectrum covers most American for-profit businesses, with the exception of certain banks and financial institutions, telecommunications operators and any other business not subject to the competence of the FTC or the DoT.

Want to learn more? Login to the full DataGuidance platform.

About OneTrust


OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit OneTrust.com or connect on LinkedIn, Twitter and Facebook.