What is the EU-US Privacy Shield?
The EU–US Privacy Shield was a framework, agreed by the EU and the US, to facilitate the cross-border flow of EU citizens’ data. The EU-US Privacy Shield was declared invalid by the European Court of Justice (ECJ) on July 16, 2020 following the decision in Schrems II.
The Privacy Shield delivered a framework for US organizations requiring access to the data of European citizens.
The Privacy Shield
The Privacy Shield replaced the Safe Harbor agreement, which was invalidated after the European Court of Justice found that it did not offer adequate protection for data transfers from Europe to the US.
The Privacy Shield was developed in response to this ruling to address EU concerns over US government surveillance of personal data. The Privacy Shield provided guidelines for companies handling data and includes new US government assurances about how EU citizens’ data may be used.
Monitoring and enforcement
The Privacy Shield required more stringent monitoring and enforcement by the US Department of Commerce and the Federal Trade Commission (FTC), through increased cooperation with European data protection authorities.
Under the agreement, the US Department of Commerce was charged with conducting “regular reviews” to ensure compliance.
European citizens who felt that their privacy rights were violated could have filed complaints with their national data protection agencies. These agencies were to forward these complaints to the Department of Commerce or the Federal Trade Commission in the US.
Data privacy violation complaints could have also been handled via an “arbitration mechanism” in certain instances.
Clear limitations, safeguards and oversight mechanisms
The US has assured EU member states that there will be “clear limitations, safeguards and oversight mechanisms” controlling how law enforcement and federal agencies access European citizen data.
The US has undertaken to collect bulk data only “under specific preconditions” and stated that data collection will be as “targeted and focused as possible,” according to a statement released by the EU Commission.
The EU–US Privacy Shield was based on the following four principles:
- Strong obligations on companies handling data
- Clear safeguards and transparency obligations on US Government access
- Effective protection of individual rights
- Annual joint review mechanism