The EU–US Privacy Shield was a legal framework for regulating transatlantic exchanges of personal data for commercial purposes between the

European Union The European Union (EU) is a supranational political and economic union of member states that are located primarily in Europe. The union has a total area of and an estimated total population of about 447million. The EU has often been des ...

and the

United States The United States of America (U.S.A. or USA), commonly known as the United States (U.S. or US) or America, is a country primarily located in North America. It consists of 50 states, a federal district, five major unincorporated territorie ...

.European Commission - Press release: political agreement on framework
/ref> One of its purposes was to enable US companies to more easily receive personal data from EU entities under EU

privacy law Privacy law is the body of law that deals with the regulating, storing, and using of personally identifiable information, personal healthcare information, and financial information of individuals, which can be Personally identifiable information ...

s meant to protect European Union citizens. The EU–US Privacy Shield went into effect on 12 July 2016 following its approval by the

European Commission The European Commission (EC) is the executive of the European Union (EU). It operates as a cabinet government, with 27 members of the Commission (informally known as "Commissioners") headed by a President. It includes an administrative body o ...

. It was put in place to replace the

International Safe Harbor Privacy Principles The International Safe Harbor Privacy Principles or Safe Harbour Privacy Principles were principles developed between 1998 and 2000 in order to prevent private organizations within the European Union or United States which store customer data from ...

, which were declared invalid by the

European Court of Justice The European Court of Justice (ECJ, french: Cour de Justice européenne), formally just the Court of Justice, is the supreme court of the European Union in matters of European Union law. As a part of the Court of Justice of the European Un ...

in October 2015.Vera Jourová, "Commissioner Jourová's remarks on Safe Harbour EU Court of Justice judgement before the Committee on Civil Liberties, Justice and Home Affairs (LIBE)", 26 October 2015 The ECJ declared the EU–US Privacy Shield invalid on 16 July 2020, in the case known as '' Schrems II''. In 2022, leaders of the US and EU announced that a new data transfer framework called the

Trans-Atlantic Data Privacy Framework Transatlantic, Trans-Atlantic or TransAtlantic may refer to: Film * Transatlantic Pictures, a film production company from 1948 to 1950 * Transatlantic Enterprises, an American production company in the late 1970s * ''Transatlantic'' (1931 film) ...

had been agreed to in principle, replacing Privacy Shield. However, it is uncertain what changes will be necessary or adequate for this to succeed without facing additional legal challenges.

History

In October 2015 the

declared the previous framework called the

invalid in a ruling that later became known as "Schrems I". Soon after this decision, the

and the

U.S. Government The federal government of the United States (U.S. federal government or U.S. government) is the national government of the United States, a federal republic located primarily in North America, composed of 50 states, a city within a fede ...

started talks about a new framework, and on February 2, 2016, they reached a political agreement. The European Commission published the "adequacy decision" draft, declaring principles to be equivalent to the protections offered by EU law. The

Article 29 Data Protection Working Party The Article 29 Working Party (Art. 29 WP), full name "The Working Party on the Protection of Individuals with regard to the Processing of Personal Data", was an advisory body made up of a representative from the data protection authority of each ...

delivered an opinion on April 13, 2016, stating that the Privacy Shield offers major improvements compared to the Safe Harbor decisions, but that three major points of concern still remain. They relate to deletion of data, collection of massive amounts of data, and clarification of the new Ombudsperson mechanism. The

European Data Protection Supervisor The European Data Protection Supervisor (EDPS) is an independent supervisory authority whose primary objective is to monitor and ensure that European institutions and bodies respect the right to privacy and data protection when they process per ...

issued an opinion on 30 May 2016 in which he stated that "the Privacy Shield, as it stands, is not robust enough to withstand future legal scrutiny before the uropeanCourt". On 8 July 2016 EU member states' representatives (article 31 committee) approved the final version of the EU-U.S. Privacy Shield, paving the way for the adoption of the decision by the commission. The

adopted the framework on 12 July 2016 and it went into effect the same day. On January 25, 2017, U.S. President

Donald Trump Donald John Trump (born June 14, 1946) is an American politician, media personality, and businessman who served as the 45th president of the United States from 2017 to 2021. Trump graduated from the Wharton School of the University of Pe ...

signed an

executive order In the United States, an executive order is a directive by the president of the United States that manages operations of the federal government. The legal or constitutional basis for executive orders has multiple sources. Article Two of th ...

entitled " Enhancing Public Safety" which states that U.S. privacy protections will not be extended beyond US citizens or residents: This executive order was repealed by President Joe Biden on January 20, 2021. The European Commission has stated that: The commission said it will "continue to monitor the implementation of both instruments".

Privacy Shield principles

In general, there are seven major principles which the organization has developed. They are stated in the following paragraphs: # Notice – Individuals must be informed that their data is being collected and how it will be used. The organization must provide information about how individuals can contact the organization with any inquiries or complaints. # Choice – Individuals must have the option to opt out of the collection and forward transfer of the data to third parties. # Accountability for onward transfer – Transfers of data to third parties may only occur to other organizations that follow adequate data protection principles. # Security – Reasonable efforts must be made to prevent loss of collected information. # Data integrity and purpose limitation – Data must be relevant and reliable for the purpose it was collected. # Access – Individuals must be able to access information held about them, and correct or delete it, if it is inaccurate. # Resources, enforcement and liability – There must be effective means of enforcing these rules.

Response

German MEP

Jan Philipp Albrecht Jan Philipp Albrecht (born 20 December 1982) is a German politician of the Alliance '90/The Greens, part of The Greens-European Free Alliance. From 2018 to 2022, he has been serving as Minister for Energy, Agriculture, the Environment, Nature a ...

and Austrian campaigner

Max Schrems Maximilian Schrems (born 1987) is an Austrian activist, lawyer, and author who became known for campaigns against Facebook for its privacy violations, including violations of European privacy laws and the alleged transfer of personal data to t ...

criticized the new ruling, with the latter predicting that the commission might be taking a "round-trip to

Luxembourg Luxembourg ( ; lb, Lëtzebuerg ; french: link=no, Luxembourg; german: link=no, Luxemburg), officially the Grand Duchy of Luxembourg, ; french: link=no, Grand-Duché de Luxembourg ; german: link=no, Großherzogtum Luxemburg is a small lan ...

" (where the

(CJEU) is located). Many Europeans demanded a mechanism for individual European citizens to lodge complaints over the use of their data, as well as a transparency scheme to assure that European citizens' data does not fall into the hands of US intelligence agencies.

Legal challenge

The Privacy Shield has been challenged legally by privacy groups. Initially, it was not clear whether the cases would be considered admissible. However, by February 2017 the future of the Privacy Shield was contested. One consultant, Matt Allison, predicted that "The EU's citizen-driven, regulated model will swiftly come into conflict with the market forces of the US and the UK." Allison summarized a new paper in which the European Commission lays out its plans for adequacy decisions and global strategy. In December 2019, the Court of Justice of the European Union (CJEU) issued a preliminary opinion in the ''Data Protection Commissioner v Facebook Ireland'' case (also known as '' Schrems II''). It outlined various scenarios that may result from the conflict in regimes. One lawyer concluded that the opinion "should generate equal measures of relief and alarm for the U.S. government and for companies dependent on data transfers." A final CJEU decision was published on 16 July 2020 in ''Schrems II''. The EU-US Privacy Shield for data sharing was struck down by the European Court of Justice on the grounds it did not provide adequate protections to EU citizens from government surveillance. The

European Data Protection Board The European Data Protection Board (EDPB) is a European Union independent body with juridical personality whose purpose is to ensure consistent application of the General Data Protection Regulation (GDPR) and to promote cooperation among the EU� ...

(EDPB), an EU organization whose decisions are binding for national privacy supervisory authorities, declared that, "transfers on the basis of this legal framework are illegal". The ruling did not completely stop data transfers between the EU and other foreign countries as the court upheld the use of "standard contractual clauses" (SCCs). But SCCs do not necessarily protect data in countries where the law is fundamentally incompatible with the Charter of Fundamental Rights of the EU and the

General Data Protection Regulation The General Data Protection Regulation (GDPR) is a European Union regulation on data protection and privacy in the EU and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and of human rights law, in partic ...

(GDPR), like the US. The existing impasse was the subject of ongoing academic proposals and research. On 25 March 2022 the US and EU announced that a new data transfer agreement had been reached. The new framework, called the

, would allow EU citizens to pursue data privacy violations through a new "Data Protection Review Court". On 7 October 2022 President Biden signed an executive order to implement the European Union-U.S. data transfer framework, which adopts new American intelligence gathering privacy safeguards. A decision regarding the impact of

Brexit Brexit (; a portmanteau of "British exit") was the withdrawal of the United Kingdom (UK) from the European Union (EU) at 23:00 GMT on 31 January 2020 (00:00 1 February 2020 CET).The UK also left the European Atomic Energy Community (EAEC or ...

on Privacy Shield was expected by 31 December 2020, but may be moot due to the CJEU decision. The new version is subject to criticism.

Swiss–US Privacy Shield

Switzerland is not an EU member but follows many EU policies through treaty implementations. Accordingly, it has implemented its own version of the Privacy Shield framework through its own Swiss–US Privacy Shield. It is largely similar to the EU–US Privacy Shield framework, but implements its own DPA instead of various EU DPAs. It also has no grace period and several other meaningful differences to the definition of "sensitive data," binding arbitration, and changes to privacy policies. The EU–US and Swiss–US programs were similar enough that they were administered together by the United States.

References

External links

Commission Implementing Decision (EU) 2016/1250 of 12 July 2016
on the adequacy of the protection provided by the EU–US Privacy Shield, now void because of ''Schrems II''
EU–US Privacy Shield fact sheet at the European Union

EU–US Privacy Shield fact sheet at the US Department of Commerce
Information privacy International law Privacy law {{DEFAULTSORT:EU-US Privacy Shield