Trust Restored: European Commission adopts the EU-U.S. Privacy Shield, but does it provide stronger protection of personal data than the recently-ruled invalid Safe Harbor framework?

The European Commission adopted the EU-U.S. Privacy Shield on July 12, 2016, in an attempt to restore the trust between nations through stronger safeguards for the transfer of personal data if their respective citizens. The framework of the Privacy Shield was designed by the U.S. Department of Commerce and European Commission to comply with EU data protection requirements when dealing with personal data being transferred from the EU to the U.S. This Privacy Shield imposes stronger obligations on U.S. companies to protect personal data of European citizens. Companies such as Facebook and up to 4,500 other tech firms have been scrambling to avoid heavy fines by the European data regulators ever since the former Safe Harbor dissolved as a result on the Schrems v. Data Protection Commissioner ruling. Without such framework in place, U.S. companies/organizations cannot share information with EU partners or their own European offices.

To understand what the Privacy Shield means, let’s first kickoff how the adoption came to life. The European Commission originally found the former Safe Harbor framework (proclaimed as the less sufficient Privacy Shield before the Privacy Shield, if you will) to be adequate. The framework, adopted in 2000, was designed to prevent private organizations within the EU and U.S. that stored personal data from disclosing or losing personal information. The Safe Harbor consisted of data protection principles in which American organizations could subscribe voluntarily. It essentially allowed personal data to be transferred as long as companies indicated they were in compliance with EU privacy principles.

Fifteen years later, the Safe Harbor framework was found to be in adequate in a ruling by the Court of Justice of the European Union. On October 6, 2015, Schrems v. Irish Data Protection Commissioner provided that the Safe Harbor fails to protect privacy and must be declared invalid. This case stems from a complaint filed by Schrems concerning the law and practices of U.S. surveillance in light of the Snowden revelations.

Since the ruling in October 2015 U.S. companies and organizations have been in limbo in regards to privacy protection law regarding EU citizens. The adoption of the EU-U.S. Privacy Shield has finally given these companies an answer. However, many leading the charge against the Safe Harbor framework believe the new framework, although better, will also fail and be ruled inadequate in the near future.

This Privacy Shield requires the U.S. to monitor and enforce stronger protection of EU citizens’ personal data. Instead of companies simply stating that they meet EU standards, the new framework makes sure these companies and the government are actually following the rules. Access to data for law enforcement and national security purposes will be subject to limitations and safeguards. U.S. companies that are already familiar with Safe Harbor will find Privacy Shield’s framework and principles to be similar, but with more strict conditions. The new framework will require companies to review their contracts more thoroughly with service providers and analyze their data retention practices more carefully.

Main changes from Safe Harbor to the Privacy Shield

• U.S. Department of Commerce is responsible for certifying that U.S. companies are meeting higher standards with regards to personal data privacy
• Individuals whose data originates from the EU may make a complaint if their rights have been violated
• Indiscriminate mass surveillance by the U.S. on personal data has been ruled out

Main Principles
• Notice: participating organizations must provide individuals with their participation in Privacy Shield, what type of data is being collected, and the purposes for the data being collected
• Choice: individuals must affirmatively opt in to allowing companies/organizations to disclose their information to a third party
• Security: companies/organizations must take reasonable and appropriate measures to protect an individual’s personal information
• Integrity: companies/organizations must pledge that an individual’s data is being used for its intended purpose
• Access: companies/organizations must provide individuals with access to the personal data and give them opportunities to amend or delete their information
• Handling Complaints: companies/organizations must implement processes for handling complaints promptly in order to be approved by the Department of Commerce to operate under the Privacy Shield
• Sanctions: companies/organizations will face much harsher sanctions for noncompliance under the Privacy Shield

Requirements for U.S. companies handling personal data
• Regular reviews in regards to their compliance with data protection rules
• Effective supervision mechanisms ensuring rules are being followed
• Strict conditions for onward transfers to third parties
• Limitation of data retention
• Self-certify themselves annually that they meet requirements
• Display privacy policy on their website
• Reply promptly to complaints (within 45 days)
• Cooperate and comply with European Data Protection Authorities

Limitations/Safeguards in regards to U.S. Government access
• Commitment to ruling out indiscriminate mass surveillance on transferred data
• Limits on the use of bulk collection of data for national security purposes such as terrorism, weapons of mass destruction and espionage
• Written assurance by the U.S. of clear limitations for use of personal data by law enforcement and national security


Brexit may have a major impact on the Privacy Shield moving forward. Many individuals that were originally behind the disband of the Safe Harbor framework believe the Privacy Shield is so similar to the Safe Harbor that it will likely fail to be adequate in the near future. However, Europe’s economy post-Brexit is in such a state of shock that many believe judges and regulators may be more reluctant to reject the new framework in the future. The rejection of the Privacy Shield would force companies back into a legal limbo with the possibility of major sanctions and fines, or pulling their business out of Europe all together.

Though UK’s formal exit won’t occur for at least two years, the UK will need to implement framework similar to the Privacy Shield. As of today, it is unclear whether the UK will choose to enter into a similar pact with the U.S. regarding its date protection principles and laws. However, it is inevitable that similar framework to the Privacy Shield will be negotiated and potentially adopted by the UK in the next few years in order to protect UK citizens’ personal information.

Multi-national companies/organizations with data transfers in the EU must be more aware than previous years in regards to personal information and data transferring. Further, with Brexit officially happening in the next few years, companies/organizations should be aware of the impact it will have on data transfer between the U.S. and the UK. Multi-national companies/organizations now face enforcement with EU regulators under the new framework, and could face similar enforcement from the UK in the near future as of the result of Brexit.

If you have any questions on the new Privacy Shield or wish assistance on your company’s policy regarding international transfer of personal data please call one of our CIPP attorneys, Maribeth Meluch.