Privacy Shield

  • Fabian Sinner
  • November 6, 2023

Table of content

    Privacy Shield

    The Privacy Shield, also known as the EU-US Privacy Shield or EU-US Privacy Shield Framework, was an agreement between the European Union (EU) and the United States (US). It was designed to ensure data privacy and the lawful transfer of personal data of EU citizens to the US.

    The Privacy Shield was introduced in 2016 to replace the previous Safe Harbor agreement, which was declared invalid by the European Court of Justice. The Privacy Shield contained data protection principles and rules that U.S. companies had to comply with when processing or transferring personal data from the EU.

    Although the Privacy Shield was invalidated by the European Court of Justice in 2020, it remains an important milestone in the history of data protection and data transparency between the EU and the US.

    What were the principles of the Privacy Shield?

    The Privacy Shield was a data protection agreement between the European Union (EU) and the United States (US) based on the following principles:

    • Notice: US companies that processed personal data from the EU were required to publish transparent privacy policies. These policies should include information about what data is collected, how it is used, and what rights data subjects had.
    • Choice: EU citizens must be able to opt out of having their data shared with third parties. This meant that companies had to obtain consent from data subjects before sharing their data with others.
    • Data Integrity and Purpose Limitation: Data was to be used only for the purposes for which it was collected. Companies were not allowed to keep data longer than was necessary for those purposes.
    • Access: Individuals had the right to access their own personal data and correct it if it was inaccurate. This allowed EU citizens to retain control over their data.
    • Security: Companies had to take appropriate security measures to protect personal data from loss, misuse and unauthorized access.
    • Oversight: There was an independent body in the US, the Ombudsman, to which EU citizens could turn with privacy complaints.
    • Enforcement: Companies participating in the Privacy Shield were subject to oversight and enforcement by the Federal Trade Commission (FTC) and the Department of Transportation (for certain transportation companies).

    These principles were intended to ensure that the processing of personal data of EU citizens in the US complied with European data protection standards to respect the rights of data subjects.

    Why did the agreement lose validity?

    The Privacy Shield was declared invalid due to a ruling by the European Court of Justice (ECJ) in July 2020. The court did so because there were concerns about the level of data protection in the US. One of the ECJ’s main criticisms was that the level of data protection in the US did not meet the European Union’s requirements for the protection of personal data. Of particular concern was the ability for US authorities to access EU citizens’ personal data without sufficient legal safeguards.

    In addition, the court criticized the lack of effectiveness of data protection measures. There were concerns that EU citizens in the US did not have effective remedies or complaint mechanisms when their data was processed unlawfully. The data protection principles in Privacy Shield were considered insufficient to protect individuals’ rights.

    Another point of criticism concerned the extensive monitoring of data traffic by US intelligence agencies, such as the National Security Agency (NSA). These agencies had broad powers to monitor data without sufficient protections for EU citizens.

    Finally, the ECJ also had concerns about the independence of the US data protection authorities that were supposed to monitor compliance with the Privacy Shield. The independence of these authorities may not have been sufficiently guaranteed.

    As a result, the Privacy Shield was declared invalid and companies could no longer rely on it to transfer personal data from the EU to the US.

    What has been the impact of the Privacy Shield repeal on global companies?

    The repeal of the Privacy Shield had a significant impact on global companies, particularly those transferring personal data from the EU to the US or using services from US providers. This led to a period of significant legal uncertainty, as there was no longer a clear legal basis for data sharing between the EU and the US.

    Many companies were forced to revise their contracts and privacy policies to include alternative legal mechanisms, such as standard contractual clauses (SCCs) or binding corporate rules (BCRs). This process is typically time-consuming and complex.

    Data protection authorities in the EU increased their monitoring of data transfers and required companies to be more transparent about their data flows and the safeguards they applied. Companies feared data protection risks and possible legal consequences if they transferred personal data without adequate legal protection.

    Some companies, particularly technology companies, were forced to limit their services to European customers or leave the US market altogether because of difficulties in complying with EU privacy laws.

    The Privacy Shield repeal also had a global impact, as many international companies were affected and feared similar legal challenges in other countries.

    Overall, the repeal of the Privacy Shield forced companies to rethink their data protection policies and practices and find alternatives to ensure compliance with data protection laws. This was an extensive process that impacted the business models and international presence of many companies.

    Are there alternatives to the Privacy Shield?

    There are certainly alternatives to the Privacy Shield that companies can use to transfer personal data from the EU to the US. The most important are the following:

    • Trans-Atlantic Data Privacy Framework: The successor agreement unveiled by the European Union and the United States in March 2022, referred to as Privacy Shield 2.0.
    • Standard Contractual Clauses (SCCs): SCCs are contracts approved by the European Commission that govern the legal requirements for international data transfers. Organizations can include these clauses in their data transfer contracts.
    • Binding Corporate Rules (BCRs): BCRs are internal data protection policies developed by multinational companies and approved by EU data protection authorities. They enable the lawful transfer of data within the company and to third countries.
    • User consent: Another option is to obtain explicit and informed consent from data subjects for data transfers. These consents must comply with the requirements of the General Data Protection Regulation (GDPR).
    • Data localization: Some companies choose to store and process data in data centers within the EU to avoid cross-border data transfer.
    • National legislations: In some EU countries, national laws or regulations may have specific provisions for data transfer to third countries.

    It is important to note that choosing the appropriate alternative depends on several factors, including the type of data being transferred, the type of organization, and the countries between which the data is being transferred. Organizations should carefully consider which alternative best fits their needs and compliance with EU data protection laws. It is often recommended to seek professional data protection advice to ensure that the chosen alternative meets the requirements.

    Why relying on European providers makes sense

    The main reason these agreements exist is because the EU has stricter data protection laws. As such, it makes sense to on European companies for services, as this ensures data protection is maintained in accordance with the strict guidelines. Personal data is only stored where it is actually specified, and third parties are not given access to it. On this note, our services also comply with these strict guidelines. If you have any questions on the subject, please feel free to contact one of our security experts.

    Contact us now >>

    [Webinar]: How memcached reflection threatens IT security
    ENISA confirms: DDoS threat situation remains extremely precarious