you're reading...
International Relations, PUBLICATIONS

The Privacy Shield: Update on the state of play of the EU-US data transfer rules

Written by Shara Monteleone and Laura Puccio,

USA-EU shield sign

© vector_master / Fotolia

In the 2015 Schrems case, the Court of Justice of the European Union (CJEU) declared the European Commission’s 2000 decision on the ‘adequacy’ of the EU-US Safe Harbour regime invalid. This regime had formed the legal basis to allow transfers of data, for commercial purposes, from the EU to the United States of America (USA).

One of the main concepts on which the reasoning of the Court relied is that of ‘equivalence’ – between the level of protection existing in a third country, and the European data protection system. The Court invalidated the Commission’s Safe Harbour adequacy decision as it did not contain any findings regarding the existence in the USA of laws and practices limiting interference on the right to privacy and data protection (e.g. interference by public authorities for security purposes), nor of effective judicial remedies for individuals. According to the judgment, laws which establish exceptions (such as enacting measures for security purposes) which could lead to conflict with fundamental rights should lay down clear and precise rules regarding the scope and application of the measure, and minimum safeguards against the risk of abuse, including unlawful access and further use of such data. The corollary of this statement is that derogations and restrictions to data protection should be allowed only if strictly necessary. Moreover, whereas the self-certification mechanism for US-based companies could be part of an adequate data protection system, it should be accompanied by effective enforcement and oversight mechanisms.

As a consequence, the judgment ruled the Safe Harbour framework, on which a large number of companies had relied, insufficient to ensure the high level of protection for EU citizens required under EU law. This invalidation of Safe Harbour created legal uncertainty and the need for a new arrangement. In the meantime, more than 4 000 US companies making data transfers switched to other existing tools, albeit more burdensome and limited, such as Binding Corporate Rules or Standard Contractual Clauses.

In 2016, the European Commission and the USA adopted a new framework for transatlantic exchange of personal data, known as the Privacy Shield. Within a year, more than 3000 companies had subscribed to the new framework, and the US Federal Trade Commission had already triggered three cases of non-compliance with Privacy Shield. In September 2017, the first joint annual review of Privacy Shield took place. Although considered to be working well, a number of recommendations for further improvements were issued. Moreover, a range of concerns still remain to be addressed (not least in view of the recent Facebook / Cambridge Analytica scandal). The European Parliament adopted a resolution in July 2018, which, although acknowledging some improvements, reiterates a number of persistent concerns on Privacy Shield, and calls on the Commission to suspend the Shield.. Unless the concerns can be resolved satisfactorily, the underlying legal uncertainty may not disappear, and Privacy Shield is also likely to end up challenged before the CJEU, like its predecessor.

Read the complete in-depth analysis on “The Privacy Shield: Update on the state of play of the EU-US data transfer rules“.



Redress mechanisms available to individuals

Redress mechanisms available to individuals



Avenues of redress for undue access and use by US public authorities

Avenues of redress for undue access and use by US public authorities


One thought on “The Privacy Shield: Update on the state of play of the EU-US data transfer rules

  1. Reblogged this on World4Justice : NOW! Lobby Forum..


    Posted by daveyone1 | August 7, 2018, 23:07

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Download the EPRS App

EPRS App on Google Play
EPRS App on App Store
What Europe Does For You
EU Legislation in Progress
Topical Digests
EPRS Podcasts

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 3,319 other followers

RSS Link to Members’ Research Service

Disclaimer and Copyright statement

The content of all documents (and articles) contained in this blog is the sole responsibility of the author and any opinions expressed therein do not necessarily represent the official position of the European Parliament. It is addressed to the Members and staff of the EP for their parliamentary work. Reproduction and translation for non-commercial purposes are authorised, provided the source is acknowledged and the European Parliament is given prior notice and sent a copy.

For a comprehensive description of our cookie and data protection policies, please visit Terms and Conditions page.

Copyright © European Union, 2014-2019. All rights reserved.

%d bloggers like this: