Our Focus

EU-US Privacy Shield

On 6 October 2015, the Court of Justice of the European Union (“CJEU”) delivered its judgment in C-362/14 Maximilian Schrems v Data Protection Commissioner invalidating the U.S.-EU Safe Harbour decision. On 29 February 2015, the European Commission formally presented the draft for Safe Harbour’s successor: the EU-U.S. Privacy Shield. The EU-U.S. Privacy Shield Framework was designed by the U.S. Department of Commerce and the European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce.

To rewind, the advertising-supported internet heavily depends on transatlantic data flows. Digital publishers, marketers, and technology companies rely on a diverse supply chain that spans EU and U.S. borders in order to provide consumers with the best online experience possible. Privacy Shield has enabled companies from across the advertising-supported internet to offer consumers better services while demonstrating their commitment to privacy-protective practices. As a result, consumers can be certain that their information is being processed in accordance with EU law, regardless of the physical location of the processing.

The concept of “adequacy” – central to the EU-US Privacy Shield – is defined in Data Protection Directive 95/46/EC which specifies that the transfer of personal data to a third country may, in principle, take place only if that third country ensures an adequate level of protection of such data. Commission Decision 2001/497/EC also sets out standard contractual clauses for the transfer of personal data to third countries under Directive 95/46/EC. The Decision requires Member States to recognise that companies or bodies which use these standard clauses in contracts relating to the transfer of personal data to third countries ensure an ‘adequate level of protection’ of the data.

The European Commission and the European Data Protection Board (EDPB) monitor and review the Privacy Shield on the European side, while the agreement is administered by the U.S. Department of Commerce and enforced by the Federal Trade Commission (FTC) and Department of Transportation in the United States. The U.S. Department of Commerce has committed to “regular and rigorous” monitoring of how companies comply with the Privacy Shield. Companies that fail to comply face “severe sanctions” under U.S. law. In addition, under the Privacy Shield package, the U.S. Department of Justice and the Office of the Director of National Intelligence have provided the EU with assurances that access by public authorities for law enforcement, national security and other public interest purposes would be subject to clear limitations, safeguards and oversight mechanisms. 

The annual joint review of the EU-US Privacy Shield (“Privacy Shield”) was established as a means to regularly monitor the functioning of the arrangement whilst reinforcing commitments and assurances regarding access to data. The European Commission and the U.S. Department of Commerce conduct the review and invite national intelligence experts from the U.S. and European Data Protection Authorities to contribute. Protection of individuals’ data, national security, law enforcement and commercial interests were the core principles on which the 2017 review was framed. The 2018 review centred upon European concerns that Washington did not share the same enthusiasm for Europe’s far-reaching data protection standards, whilst the then ongoing failure to assign a permanent ombudsperson was perceived as lacking in terms of commitment on the U.S side. In June 2019 however, two outstanding issues deriving from the EU’s 2018 review of the Privacy Shield were resolved as the U.S. Senate confirmed Keith Krach to fill the role of Ombudsperson, whilst the Senate Judiciary Committee also approved Ed Felten to serve on the Privacy and Civil Liberties Oversight Board (PCLOB), thus bolstering expectations of a positive third annual review in September 2019. It is hoped that by frequently evaluating and improving upon the terms of the arrangement, trust in transatlantic data flows may be restored for both parties.

Frequently Asked Questions: EU-US Privacy Shield

Q: When did the Privacy Shield enter into force, and what were the steps involved?

A: Before Privacy Shield could be relied upon by companies to transfer data from the EU to the U.S., the draft adequacy decision required review and approval by a committee of experts from the 28 EU member states under the so-called comitology procedure. The then Article 29 Working Party, which consisted of all 28 EU data protection authorities, issued an opinion on the draft adequacy decision on 13 April 2016, welcoming the significant improvements that Privacy Shield offers over Safe Harbour, whilst also expressing doubts as to whether the Privacy Shield’s improvements are enough, because key elements of EU data protection are missing or substituted by inadequate alternative notions. While the Article 29 Working Party’s opinion was not binding, the European Commission and EU member states considered it carefully as under the Schrems judgment national data protection authorities are given greater powers to take cases on adequacy decisions to court.

On 26 May 2016, the European Parliament adopted a joint motion for a resolution on transatlantic data flows. While not binding, the resolution sent a strong message, citing the Parliament's concerns that the current Privacy Shield would allow surveillance that does not comply with the EU’s Charter of Fundamental Rights.

Meanwhile, the Article 31 Committee approved the Privacy Shield deal, after the Commission renegotiated the deal with its US counterparts. This was a binding vote and the final formal step for the approval of the deal, meaning that the European Commission adopted the adequacy decision on Monday, 11 July 2016.

Q: How will Privacy Shield be different from Safe Harbour?

A: Privacy Shield provides a number of improvements over its predecessor, addressing concerns of the CJEU as outlined in the Schrems ruling and the European Commission’s 2013 communication on the functioning of Safe Harbor. Privacy Shield does not only cover commitments in the commercial sector, but also in the area of access to personal data by public authorities, including for national security purposes.

Privacy Shield creates a system of self-certification by which organisations commit to comply with a set of “Privacy Principles.” These principles would include more robust obligations on how personal data may be processed and individual rights guaranteed, as well as stricter liability provisions.

Privacy Shield would be administered by the U.S. Department of Commerce and enforced by the Federal Trade Commission and U.S. Department of Transportation. The U.S. Department of Commerce has committed to “regular and rigorous” monitoring of how companies’ comply with Privacy Shield. Companies that fail to comply would face “severe sanctions” under U.S. law.

In addition, under the Privacy Shield package, the U.S. Department of Justice and the Office of the Director of National Intelligence has provided the EU with assurances that access by public authorities for law enforcement, national security and other public interest purposes would be subject to clear limitations, safeguards and oversight mechanisms. To this end, the U.S. will create the office of an ombudsperson tasked with following-up on complaints and inquiries by EU individuals into national security access by U.S. authorities of commercial data transferred to the U.S. under any legal basis.

EU individuals would also be provided with further enhanced redress possibilities, including cost-free alternative dispute resolution. Companies also would need to commit to reply to complaints within a fixed deadline. European data protection authorities would have the possibilities to bring claims before U.S. authorities in order to facilitate investigations. In addition, as a last resort, individuals would have access to a dispute resolution mechanism that can take binding and enforceable decisions against U.S. Privacy Shield companies: The Privacy Shield Panel. EU data protection authorities would be able to provide assistance to individuals in preparing their arbitration case before the Privacy Shield Panel.

Lastly, Privacy Shield is subject to an annual joint review carried out by the European Commission and U.S. Department of Commerce to regularly monitor the functioning of all aspects of the pact, including the limitations and safeguards relating to national security access. This review includes European data protection authorities and U.S. national security authorities. Should U.S. companies and public authorities be found not to comply with their commitments, the European Commission could suspend Privacy Shield. .

Q: What are the implications of the General Data Protection Regulation on the Privacy Shield?

A: The European Commission has stressed that the Privacy Shield is drafted in such a way that it would be valid under Europe’s future GDPR, which entered into force on 25 May 2019.

Frequently Asked Questions: EU-US Safe Harbour Framework

Q: What was the U.S.-EU Safe Harbour framework?

A: Under the Data Protection Directive (Directive 95/46/EC) the transfer of personal data from the European Union (“EU”) outside of the European Economic Area (“EEA”) is prohibited unless the data protection rules of the third country to which the data are transferred have been declared “adequate” by the European Commission.

As the United States (“U.S.”) and the EU take different approaches towards data protection rules the European Commission – in consultation with the U.S. Department of Commerce – developed the Safe Harbour principles. In July 2000, the European Commission adopted the Safe Harbour decision (Decision 2000/520/EC) that declared that the Safe Harbour principles provided an adequate level of personal data protection. The decision allowed the transfer of personal data from the EU to U.S. companies that participated in the Safe Harbour self-certification scheme.

Q: Why was the Safe Harbour decision invalidated?

A: The CJEU found that the Safe Harbour framework enabled “interference (…) with the fundamental rights of the persons whose personal data is or could be transferred from [the EU to the U.S.]” because it only covered self-certified companies and not actions by U.S. authorities.

Additionally, the CJEU considered the European Commission’s Safe Harbour decision and found that the Commission had not – as is required by the Data Protection Directive – established that the U.S. provides an adequate level of protection of personal data “by virtue of its domestic law and international obligations”, i.e. a “level of protection of fundamental rights essentially equivalent to that guaranteed in the EU legal order.”

In this context the Court recalled that in the EU interference with the fundamental right to respect to private life is only permissible where it is strictly necessary and explicitly provided examples of legislation that is not in line with the EU legal order: Generalised retention of personal data; generalised surveillance of the content of communication; lack of judicial recourse for for individuals to access, rectify or erase personal data relating to them.

The CJEU further found that the Safe Harbour framework unlawfully limited the power of national data protection authorities to investigate claims by individuals concerning the adequacy of third countries.

Q: When did the CJEU’s judgment come into effect?

A: The CJEU’s judgment was effective immediately. As such, the U.S.-EU Safe Harbour Framework ceased to exist as of 6 October 2015.

Q: How can my company continue to legally transfer data from the EU to the U.S.?

A: The Safe Harbour Principles were not the only mechanism allowing the transfer of personal data from the EU and U.S. Your company may still leverage any one or several of the following alternatives:

For more detailed information please consult the European Commission’s communication on transfers of personal data from the EU to U.S. following the Schrems judgment. Additionally, companies should consult the data protection authorities in their relevant markets as requirements for the lawful transfer of data to the U.S. may vary across countries.

Q: What is the impact of the Schrems judgment on alternative transfer mechanisms?

A: In principle, the Schrems judgment only invalidated the Safe Harbour decision and has no bearing on the validity of alternative transfer mechanisms.

However, the Article 29 Working Party (“WP29”, now European Data Protection Board (EDPB)) indicated reservations about alternative transfer mechanisms, such as BCRs, for transfers of personal data from the EU to the U.S. on the basis that some of the CJEU’s considerations concerned fundamental rights, which could also apply to alternative transfer mechanisms. While the WP29 was unambiguous about the unlawfulness of continued transfers based on the invalidated Safe Harbour decision, it announced that it considers transfers under BCRs and Standard Contractual Clauses valid for the moment.

The WP29 originally threatened potential enforcement against transfers based on alternative transfer mechanisms after the end of January 2016 unless U.S. and EU negotiators could solve outstanding issues. This grace period has been extended to allow the WP29 time to analyse the successor to Safe Harbour, the Privacy Shield, which was announced on 2 February 2016 (see below).

In any case, companies should consult with the data protection authorities in their respective markets as different member states may take a different view to that of the EDPB.

Q: What agreement came to replace the Safe Harbour framework?

A: On 2 February 2016 the European Commission announced that EU and U.S. negotiators reached a political agreement on the successor of the Safe Harbour framework: The EU-U.S. Privacy Shield. On 29 February 2016, the European Commission published a series of documents that make up the Privacy Shield framework, including its draft decision on the adequacy of the protection provided by the EU-U.S. Privacy Shield as well as a number of supporting documents.

Q: When did the Privacy Shield enter into force, and what were the steps involved?

A: Before Privacy Shield could be relied upon by companies to transfer data from the EU to the U.S., the draft adequacy decision required review and approval by a committee of experts from the 28 EU member states under the so-called comitology procedure. The then Article 29 Working Party, which consisted of all 28 EU data protection authorities, issued an opinion on the draft adequacy decision on 13 April 2016, welcoming the significant improvements that Privacy Shield offers over Safe Harbour, whilst also expressing doubts as to whether the Privacy Shield’s improvements are enough, because key elements of EU data protection are missing or substituted by inadequate alternative notions. While the Article 29 Working Party’s opinion was not binding, the European Commission and EU member states considered it carefully as under the Schrems judgment national data protection authorities are given greater powers to take cases on adequacy decisions to court.

On 26 May 2016, the European Parliament adopted a joint motion for a resolution on transatlantic data flows. While not binding, the resolution sent a strong message, citing the Parliament's concerns that the current Privacy Shield would allow surveillance that does not comply with the EU’s Charter of Fundamental Rights.

Meanwhile, the Article 31 Committee approved the Privacy Shield deal, after the Commission renegotiated the deal with its US counterparts. This was a binding vote and the final formal step for the approval of the deal, meaning that the European Commission adopted the adequacy decision on Monday, 11 July 2016.

Lines (1)