Members' Research Service By / August 7, 2018

The Privacy Shield: Update on the state of play of the EU-US data transfer rules

The CJEU’s Schrems judgment of October 2015, besides declaring the European Commission’s Decision on the EU-US ‘Safe Harbour’ data transfer regime invalid, has also settled a number of crucial requirements corresponding to the foundations of EU data protection. In less than one year from the CJEU ruling, the Commission had adopted a new adequacy decision in which the new framework for EU-US data transfer, the Privacy Shield (2016), is deemed to adequately protect EU citizens. The main improvements of the Privacy Shield (over its predecessor), as well as the critical reactions to the new arrangements, are discussed in this paper. The first joint annual review took place in September 2017 on which both the Commission and Article 29 Working Party issued their own reports. Although progress is recognised, a number of concerns remain and new challenges to the Privacy Shield have arisen, among others, from the Facebook/Cambridge Analytica scandal, as pointed out by the European Parliament in its recent resolution.

© vector_master / Fotolia

Written by Shara Monteleone and Laura Puccio,

USA-EU shield sign
© vector_master / Fotolia

In the 2015 Schrems case, the Court of Justice of the European Union (CJEU) declared the European Commission’s 2000 decision on the ‘adequacy’ of the EU-US Safe Harbour regime invalid. This regime had formed the legal basis to allow transfers of data, for commercial purposes, from the EU to the United States of America (USA).

One of the main concepts on which the reasoning of the Court relied is that of ‘equivalence’ – between the level of protection existing in a third country, and the European data protection system. The Court invalidated the Commission’s Safe Harbour adequacy decision as it did not contain any findings regarding the existence in the USA of laws and practices limiting interference on the right to privacy and data protection (e.g. interference by public authorities for security purposes), nor of effective judicial remedies for individuals. According to the judgment, laws which establish exceptions (such as enacting measures for security purposes) which could lead to conflict with fundamental rights should lay down clear and precise rules regarding the scope and application of the measure, and minimum safeguards against the risk of abuse, including unlawful access and further use of such data. The corollary of this statement is that derogations and restrictions to data protection should be allowed only if strictly necessary. Moreover, whereas the self-certification mechanism for US-based companies could be part of an adequate data protection system, it should be accompanied by effective enforcement and oversight mechanisms.

As a consequence, the judgment ruled the Safe Harbour framework, on which a large number of companies had relied, insufficient to ensure the high level of protection for EU citizens required under EU law. This invalidation of Safe Harbour created legal uncertainty and the need for a new arrangement. In the meantime, more than 4 000 US companies making data transfers switched to other existing tools, albeit more burdensome and limited, such as Binding Corporate Rules or Standard Contractual Clauses.

In 2016, the European Commission and the USA adopted a new framework for transatlantic exchange of personal data, known as the Privacy Shield. Within a year, more than 3000 companies had subscribed to the new framework, and the US Federal Trade Commission had already triggered three cases of non-compliance with Privacy Shield. In September 2017, the first joint annual review of Privacy Shield took place. Although considered to be working well, a number of recommendations for further improvements were issued. Moreover, a range of concerns still remain to be addressed (not least in view of the recent Facebook / Cambridge Analytica scandal). The European Parliament adopted a resolution in July 2018, which, although acknowledging some improvements, reiterates a number of persistent concerns on Privacy Shield, and calls on the Commission to suspend the Shield.. Unless the concerns can be resolved satisfactorily, the underlying legal uncertainty may not disappear, and Privacy Shield is also likely to end up challenged before the CJEU, like its predecessor.

Read the complete in-depth analysis on “The Privacy Shield: Update on the state of play of the EU-US data transfer rules“.



Redress mechanisms available to individuals
Redress mechanisms available to individuals



Avenues of redress for undue access and use by US public authorities
Avenues of redress for undue access and use by US public authorities

Related Articles

Leave a Reply

%d bloggers like this: