Following the decision of 6th October 2015 issued by the
Court of Justice of the European Union (CJEU) in the case , the Commission Decision 2000/520EC dated 26 July 2000, on the
adequacy of the Safe Harbour privacy principles, was declared invalid by the
CJEU Advocate General. Since then, ongoing discussions and negotiations took
place between the EU Commission and the United States in order to come up with
a new framework which upholds the fundamental rights to data protection of individuals,
while at the same time provides for a sound legal option for entities relying
on transatlantic data flows as part of their business model.
Political agreement was reached in February 2016, with the new
EU-US Privacy Shield being launched by the European Commission on 12 July 2016.
The scheme became operational on 1st August. Further information on
the EU-US privacy shield including the full texts of the adequacy decision and
annexes are available on the following link:
The new instrument protects the fundamental rights of citizens
whose personal data is transferred from the EU to the US and brings legal
clarity for similar data transfers.
The EU-US Privacy shield envisages the following safeguards:
obligations on companies handling data, including regular updates and reviews of
participating companies, being conducted by the US Department of Commerce,
to ensure that companies follow the rules they submitted themselves to.
Stricter rules are applied in the case of onward transfers by the US
entities subscribed to the privacy shield.
safeguards and transparency obligations on access by the US government, have
been put in place, including specific limitations and an oversight
mechanism for public authorities accessing data for law enforcement and
national security purposes, Every
citizen in the EU will benefit from redress mechanisms.
protection of individual rights: Any
citizen who considers that their data has been misused under the Privacy
Shield scheme will benefit from several accessible and affordable dispute
resolution mechanisms – including by the company itself (internal
resolution), or externally by their national Data Protection Authorities
working in close cooperation with the Federal Trade Commission. There will
also be an arbitration mechanism as a last resort if the cases are not
resolved. Redress possibility in the area of national security for EU
citizens' will be handled by an Ombudsperson independent from the
US intelligence services.
- Annual joint review: the mechanism will include a joint
review by the Commission and the US Department of Commerce, together with
associate national intelligence experts from the US, and EU Data
How does the EU-US Privacy Shield
facilitate data transfers to US entities?
case of US entities which are listed under the EU-US Privacy Shield, the
transfer of personal data to such entities by EU-based data controllers will be
deemed adequate, without requiring the inclusion of additional safeguards, such
as the use of EU Standard Contractual Clauses which are normally necessary to
guarantee an adequate data protection level for international data transfers.
on US entities listed in the EU-US Privacy Shield is available on the following