EU - US Privacy Shield

​​Following the decision of 6th October 2015 issued by the Court of Justice of the European Union (CJEU) in the case Schrems vs Data Protection Commissioner (Ireland)​, the Commissi​on Decision 2000/520EC dated 26 July 2000, on the adequacy of the Safe Harbour privacy principles, was declared invalid by the CJEU Advocate Gene​ral. Since then, ongoing discussions and negotiations took place between the EU Commission and the United States in order to come up with a new framework which upholds the fundamental rights to data protection of individuals, while at the same time provides for a sound legal option for entities relying on transatlantic data flows as part of their business model.

Political agreement was reached in February 2016, with the new EU-US Privacy Shield being launched by the European Commission on 12 July 2016. The scheme became operational on 1st August. Further information on the EU-US privacy shield including the full texts of the adequacy decision and annexes are available on the following link: 

http://ec.europa.eu/justice/data-protection/international-transfers/eu-us-privacy-shield/index_en.htm 

The new instrument protects the fundamental rights of citizens whose personal data is transferred from the EU to the US and brings legal clarity for similar data transfers.

The EU-US Privacy shield envisages the following safeguards:​

  • Strong obligations on companies handling data, including regular updates and reviews of participating companies, being conducted by the US Department of Commerce, to ensure that companies follow the rules they submitted themselves to. Stricter rules are applied in the case of onward transfers by the US entities subscribed to the privacy shield.

  • Clear safeguards and transparency obligations on access by the US government, have been put in place, including specific limitations and an oversight mechanism for public authorities accessing data for law enforcement and national security purposes, Every citizen in the EU will benefit from redress mechanisms.

  • Effective protection of individual rights: Any citizen who considers that their data has been misused under the Privacy Shield scheme will benefit from several accessible and affordable dispute resolution mechanisms – including by the company itself (internal resolution), or externally by their national Data Protection Authorities working in close cooperation with the Federal Trade Commission. There will also be an arbitration mechanism as a last resort if the cases are not resolved. Redress possibility in the area of national security for EU citizens' will be handled by an Ombudsperson independent from the US intelligence services.

  • Annual joint review: the mechanism will include a joint review by the Commission and the US Department of Commerce, together with associate national intelligence experts from the US, and EU Data Protection Authorities.

How does the EU-US Privacy Shield facilitate data transfers to US entities?

In the case of US entities which are listed under the EU-US Privacy Shield, the transfer of personal data to such entities by EU-based data controllers will be deemed adequate, without requiring the inclusion of additional safeguards, such as the use of EU Standard Contractual Clauses which are normally necessary to guarantee an adequate data protection level for international data transfers.

Information on US entities listed in the EU-US Privacy Shield is available on the following link:

https://www.privacyshield.gov/list