EU-U.S. Privacy Shield

The EU-US Privacy Shield (Privacy Shield) has passed its third annual review by the European Commission. A framework constructed by the US Department of Commerce and the European Commission to enable transfers of personal data for commercial purposes, the Privacy Shield enables companies from the EU and the US to comply with data protection requirements when transferring personal data from the EU to the US.

The Privacy Shield was approved by the European Commission on 12 July 2016, and was subject to annual reviews to try and avoid failures that resulted in the downfall of the Safe Harbor Principles, which it replaced. The reviews evaluate all aspects of the functioning of the Privacy Shield framework.
Continue Reading

The EU-US Privacy Shield is one of the legal mechanisms enabling the transfer of personal data outside the European Economic Area to US companies that have self-certified to a number of privacy principles (which correspond to EU data protection requirements). The Privacy Shield replaced the Safe Harbour scheme and came into effect almost two years ago in August 2016. Since then it has faced numerous criticisms and legal challenges and is under scrutiny once again, facing possible suspension and even invalidation.


Continue Reading

The EU and U.S. competent authorities have one year to implement the recommendations that the Article 29 Working Party (WP29, which is a gathering of all EU national data protection authorities) made in its opinion of November 28, 2017 to increase the level of personal data protection provided by the Privacy Shield framework. As they announced in this opinion, failure to do so will result in these authorities challenging the validity of the Privacy Shield adequacy decision before courts. Such a cancellation could lead to certified U.S. companies losing their certification (2,400 companies, including web giants and major cloud providers), having to freeze data flows and implementing other legal mechanisms allowing them to import personal data from the EU.

It should be noted that the EU and U.S. authorities negotiated the Privacy Shield under a perspective that was more in line with Directive 95/46 (the main data protection applicable instrument at the time of negotiation) than with the General Data Protection Regulation (GDPR). The GDPR will repeal this Directive and increase the level of protection of personal data from May 25, 2018, and the WP29 will plan to prepare businesses for it.

In its report, the WP29 focuses on guarantees of enforcement and efficiency.
Continue Reading

On October 18, 2017, the European Commission issued its report on the first annual review of the EU- U.S. Privacy Shield, aimed at allowing personal data transfer from the EU to the U.S. through the implementation of a data protection framework providing an adequate level of protection in the U.S. Over 2,400 companies have

On September 15, 2017, the Trump White House released a Press Release regarding the EU-U.S. Privacy Shield—reiterating that they “firmly believe that the upcoming review [of the EU-U.S. Privacy Shield] will demonstrate the strength of the American promise to protect the personal data of citizens on both sides of the Atlantic.”

The first alliance of

Between the cancellation of the Safe Harbor by the Court of Justice of the European Union (CJEU) and the adoption of the Privacy Shield, a number of data exporters have relied on the Standard Contractual Clauses (SCC) as the safest export tool to transfer personal data from the EU to the U.S. But as announced

Throughout the past several years, data privacy and security practices have evolved into more than just defending against identity theft and protecting sensitive data. In fact, since 2014, to help raise awareness for data protection issues, the United States designated January 28th as Data Privacy Day.  In recognition of this internationally observed day, over

After its first draft of February 29, 2016, the European Commission adopted the EU-U.S. Privacy Shield adequacy decision on July 12, 2016.  The first draft was adopted after the cancellation of the Safe Harbor by the Court of Justice of the European Union (CJEU) on October 15, 2015 (Schrems case). A new adequacy decision was therefore highly welcome to allow the tens of thousands of U.S. and EU companies that rely on Safe Harbor to transfer personal data across the Atlantic. After the first draft of the adequacy decision, several EU institutions addressed numerous concerns regarding this first draft. First, on April 13, 2016, Article 29 Working Party (WP 29), released an  opinion, noting the Privacy Shield offers major improvementscompared to the invalidated Safe Harbor decisionbut, at the same time, urged the European Commission to resolve all concerns expressed by WP 29 in order to ensure that the protection to be offered by the Privacy Shield is indeed essentially equivalent to that of the EU. This opinion was followed on May 26, 2016 by a resolution of the EU parliament where it also expressed several concerns about the proposed Privacy Shield.  Finally, on May 30, 2016 the European Data Protection Supervisor (EDPS) published its opinion where, although it “welcomed the efforts shown by the parties to find a solution for transfers of personal data”, EDPS added that “robust improvements” were needed “in order to achieve a solid framework, stable in the long term”.

The EU-U.S. Privacy Shield adequacy decision adopted on July 12, 2016 by the European Commission was supposed to cure all the concerns expressed after the first draft. The surprise is of course that WP 29’s press release of July 26, 2016 does not consider that the improvements brought by the EU Commission and the U.S. authorities to the proposal of Privacy Shield adequately respond to the concerns expressed.  For instance, WP 29 regrets:

  • The lack of specific rules on automated decisions and of a general right to object;
  • That it remains unclear how the Privacy Shield Principles will apply to processors;
  • The lack of concrete assurance that bulk collection of personal data will not again happen, despite the commitment of the U.S. Office of the Director of National Intelligence (ODNI);
  • The lack of strict guarantees concerning the independence and the powers of the Ombudsmen in case of conflict caused by access by U.S. public authorities to personal data.

After expressing these criticisms, WP 29 proposes however to decide on the viability of the Privacy Shield after the first annual review of the framework that will take place in May 2017. In other words, WP 29 will not push for a legal challenge of the Privacy Shield before the first review.  This said, even though the timing proposed by WP 29 seems practicable, in case of action by data subjects of privacy activists, the “wait and see” attitude of WP 29 will probably be difficult to maintain. Finally, the position of WP 29 seems very practical.  Indeed, it is difficult to assess the adequacy of the Privacy Shield because it is mainly based on commitments taken from letters by different U.S. heads of administrative bodies and among others the ODNI. This meets one of the very general remarks expressed by the EDPS in its May 30, 2016 opinion, which called for longer term solutions” “with more robust stable legal frameworks to boost transatlantic relations”. The nearly one year deadline given by WP 29 is probably the opportunity to reach robust stable legal frameworks not only for the Privacy Shield, but also for Standard Contractual Clauses and Binding Corporate rules when they relates to transfers of personal data to the U.S.


Continue Reading

The EU-U.S. Privacy Shield has been formally adopted by the European Commission, enabling U.S. companies who sign up to the framework to receive personal data from the EU. The new deal replaces the previous Safe Harbor framework, which was invalidated by the Court of Justice of the European Union (CJEU) last October.

The new framework