What is EU-US Privacy Shield?
A look at the now invalidated framework US companies relied on to transfer data to and from the European Union
Privacy Shield was a regulatory framework that governed the transfer of data between the European Union and the United States. Its principal purpose was to act as a mechanism for US companies to receive data from the EU, thereby ensuring smooth data transfers despite the fact that the two countries operated in separate data protection jurisdictions.
In effect, Privacy Shield fulfiled the same purpose as an adequacy agreement, required by any third status country that is outside of the regulatory reach of the EU's General Data Protection Regulation (GDPR). Such an agreement signals that the EU recognises the data protection laws of the third country as being robust enough to protect the data of EU citizens, and therefore eligible to receive EU data.
Privacy Shield was ruled invalid by the European Court of Justice on 16 July 2020 as part of the Facebook Ireland vs Max Schrems case. The ECJ argued that the creation of Privacy Shield gave primacy to US surveillance laws, with its current form being unable to provide adequate protections for EU resident data. It was also ruled that the mechanism did not provide data subjects with an adequate point of redress or cause of action when issuing complaints.
Where did Privacy Shield come from?
Privacy Shield was the second attempt to harmonise data flows between the US and the EU – itself being a replacement to the 'International Safe Harbour Privacy Principles', known commonly as Safe Harbour (not to be confused with the Safe Harbor provision related to the non-violation of statute).
However, the history of both Privacy Shield and Safe Harbour frameworks dates back to the mid-1980s, when the European Union began pursuing policies aimed at enhancing the protections offered to data subjects throughout member states. In order to do that, it was important to ensure that European data subjects could expect the same levels of protection wherever their data was sent.
In 1995, the EU signed the Data Protection Directive, the first piece of legislation that would eventually evolve into the General Data Protection Regulation that is in force today. Despite covering a range of data protection issues, one of its chief purposes was to prevent companies operating in the EU from sending data to third countries (those outside of the European Economic Area) unless some guarantee exists to ensure adequate levels of protection.
This increase in user protections did not align with US policy, particularly given the far-reaching powers that intelligence agencies such as the NSA have had over user data. However, given the commercial importance of data transfers to the US, it was deemed necessary to provide an additional mechanism beyond a formal adequacy agreement, standard contractual clauses, or binding corporate rules, that would make it easier for US companies to legally receive data.
Developed between 1998 and 2000, the Safe Harbour Privacy Principles were initially designed to prevent organisations in the US and the EU from accidentally disclosing personal information by providing clear guidelines on how to collect and manage data. These principles incorporated some of the requirements set out by the Data Protection Directive, including the need for better security, relevant data collection, and the restrictions on third-country transfers, only these were voluntary for US companies. However, by July 2000, it was decided that any US company that was able to demonstrate its commitment to these Safe Harbor Principles would be permitted to send and receive data from the EU – known as the "Safe Harbor Decision".
US companies operated under the provisions of the Safe Harbor Decision for over 15 years but in October 2015, the European Court of Justice ruled that the process of the Safe Harbour Decision was invalid. The reason for this ruling was mainly because the act of giving public authorities access to EU individuals' data through the adherence of general principles was in direct conflict with the right to privacy as enshrined in Article 8 of the European Convention on Human Rights (ECHR). In essence, the ECJ found that the Safe Harbour Principles were incompatible with EU data laws given that the framework lacked any operational oversight from US or EU agencies.
Enter Privacy Shield
Although Privacy Shield is invalidated, it’s likely that a grace period will be announced, allowing businesses to operate under the framework until a replacement is introduced.
Privacy Shield, introduced in early 2016, was an attempt to rectify these issues, promising to enforce tougher obligations on US companies – namely the requirement to monitor and enforce data protections more robustly, and cooperate with European data protection authorities.
As with Safe Harbor, it was a voluntary mechanism that US companies could use to legally send and receive data from the EU. Those that agreed to process data under Privacy Shield were required to publicly advertise their compliance – a notice that said they were committed to providing higher standards of data protection and that they were liable to strict fines if found to be in breach of them.
As part of this compliance, organisations were required to give European users a means to opt out of having their data sold to third parties, as well as rigorously protect any data they do collect. EU data subjects were also protected from any misuse of data beyond its originally advertised processing purpose and had the right to access, correct, amend or delete any data that an organisation held on them, provided it was inaccurate or had been used in a way that breached Privacy Shield principles.
These protections only existed for EU citizens – US citizens were only protected by federal or state US laws.
Privacy Shield fines & sanctions
The US Federal Trade Commission, the agency overseeing Privacy Shield enforcement, had the power to bring fines against any company found to be in breach of Privacy Shield standards.
Any US organisation that failed to abide by their commitments to upholding Privacy Shield principles could face a number of different penalties. Firstly, the FTC could issue administrative or court orders to compel an organisation to fix any violations. Failure to abide by these orders could result in civil penalties of up to $40,000 for each violation, or $40,000 per day for ongoing violations.
Any organisation found to be in persistent violation of Privacy Shield standards would have its eligibility revoked, which prevented it from using the mechanism for data transfers. This includes any company that had been found to be in regular breach of the standards even if those breaches were unrelated. The Department of Commerce would then remove the company's name from the Privacy Shield List.
What does Privacy Shield require of US businesses?
Privacy Shield was voluntary for US businesses, however, it was strongly advised that organisations sign up to the laws, particularly if they planned to expand into Europe in the future.
Those that sign up were required to do the following:
- Present a detailed public facing statement showing its commitment to the Privacy Shield Principles and how it is ensuring its processes are compliant.
- Ensure that mechanisms are in place to restrict data sharing with third parties where a user has opted-out. All third parties that receive such data must also publicly display their commitment to Privacy Shield.
- Respond to all access and deletion requests from users, and provide a means for users to change their data, provided the request is feasible.
- Ensure that all systems are maintained and are protected from unauthorised access.
Criticisms of Privacy Shield
Both Safe Harbour and Privacy Shield highlighted an ongoing clash between the US and the EU over data protection rights.
The European Union has worked to increase protections, and now operates one of the world's most robust data laws in the world. Data processing is heavily scrutinised under GDPR, with companies facing the prospect of crippling fines for any loss of data.
The US, meanwhile, has increased the surveillance powers of its intelligence agencies over the years, particularly following the introduction of the US Patriot Act in 2001. Intelligence agencies are able to use programmes such as PRISM to collect data from US internet companies, as well as the Foreign Intelligence Surveillance Act (FISA) to gather data on US citizens. Perhaps most importantly for EU authorities, the US has yet to work towards a centralised federal data protection regime, let alone one that begins to mirror GDPR. Aside from states such as California, there have been few attempts to expand data protection rights.
Privacy Shield was, therefore, an attempt at a compromise on the part of the EU to overcome this ongoing contradiction – a mechanism that allows US companies to prove they can operate under GDPR-like controls.
Not everyone agreed that the EU's good faith is reciprocated, however. Most notably, as part of the relationship, the US had the duty of appointing an ombudsperson to act as an additional point of redress for any EU citizens raising complaints against a company. This position sat vacant until June 2019, when Keith Krach was confirmed as the US' first permanent Privacy Shield Ombudsperson, leaving many to question whether the country was taking its role seriously enough.
Concerns had also been raised over the years about the framework's ability to protect EU data. In 2016, European data protection supervisor, Giovanni Buttarelli, argued that "significant improvements" were needed and that, as it stood, Privacy Shield was simply "not robust enough to withstand future legal scrutiny before the court". He also added that it was "time to develop a longer term solution in the transatlantic dialogue".
Max Schrems, the Austrian legal activist that brought the case to the ECJ that would ultimately lead to Privacy Shield’s downfall, argued that Privacy Shield was hastily put together in order to fill the gap left by the previous framework and that those behind it.
"Sometimes I call it Safe Harbour 1.0.1 because basically most of the text is exactly the same, most of the structure is exactly the same," said Schrems, speaking at a data protection summit in London in June 2019, adding that he often referred to it instead as "lipstick on a pig".
Speaking on the speed at which it was negotiated, he said: "There was a deadline on January 31. What happened was that they failed to come to any kind of agreement. I was asking later and apparently the Europeans stood off the table and said there was no way we're ever going to get it. 48 hours later and there was [suddenly] a deal. Another 24 hours later and we got this logo."
What will replace Privacy Shield?
Now that Privacy Shield has been invalidated, businesses are, technically, no longer allowed to transfer data using the mechanism. However, given the disruption that’s going to be caused by the judgement, it’s very likely that a grace period will be announced, allowing for businesses to continue to use the mechanism while a replacement is being considered. In the case of the invalidation of Safe Harbour, businesses were initially given a grace period of three months, although it would take six months before Privacy Shield was introduced.
It’s not clear how long a replacement to Privacy Shield might take, however, given that Privacy Shield and Safe Harbour were invalidated for very similar reasons, it’s likely a more robust system will be demanded by advocates in the EU Commission. To facilitate this, the EU could ask the US to commit to far greater protections for EU resident data, or move towards greater regulatory alignment. Whatever the detail of the agreement, any friction between the two sides will almost certainly cause delay.
Managing security risk and compliance in a challenging landscape
How key technology partners grow with your organisationDownload now
Evaluate your order-to-cash process
15 recommended metrics to benchmark your O2C operationsDownload now
AI 360: Hold, fold, or double down?
How AI can benefit your businessDownload now
Getting started with Azure Red Hat OpenShift
A developer’s guide to improving application building and deployment capabilitiesDownload now