European Union: The EU–U.S. Privacy Shield Approved

After months of criticism from various EU bodies and institutions, the much-anticipated EU–U.S. Privacy Shield finally has been approved by the European Commission, paving the way for self-certifying U.S. organizations to transfer legally EU personal data across the Atlantic. The adoption of this new framework ends months of uncertainty for thousands of companies that relied on the Privacy Shield's predecessor, the Safe Harbor Program, to transfer EU personal data across the Atlantic. The terms of the Privacy Shield are expected to be published in the U.S. Federal Register by mid-August 2016. Companies interested in self-certifying compliance with this new trans-Atlantic data-transfer framework can do so beginning August 1, 2016, when the Department of Commerce will begin accepting certifications. Now is the time for companies to consider whether certifying with the Privacy Shield is the best option for their business.


EU and U.S. officials released the details of the new "Privacy Shield" framework in February 2016 to replace the Safe Harbor with a more robust and comprehensive trans-Atlantic data- transfer scheme. The European Court of Justice ("ECJ") invalidated the Safe Harbor program in its October 6, 2015, Schrems decision, ruling that it failed to provide an adequate level protection to personal data transferred from the European Union to the United States.1

Following its release, the Privacy Shield immediately became the subject of intense scrutiny, particularly by the Article 29 Working Party ("Working Party"), the European Parliament, and the European Data Protection Supervisor. All heralded the Privacy Shield as a positive step in the right direction, but they identified several deficiencies in the terms of the new framework and called for clarity and improvement. In particular, the Privacy Shield was heavily criticized for the complexity of the redress system, the need for more substantive detail on data retention restrictions, the apparent lack of independence of the proposed U.S. Privacy Shield Ombudsman, and overall uncertainty as to whether the U.S. government's "written assurances" would sufficiently safeguard against "massive and indiscriminate collection" of EU personal data by U.S. authorities. Privacy advocates, moreover, vowed to challenge the Privacy Shield for failing to adequately address and protect EU personal data from unfettered access by the U.S. intelligence community.

While the opinions of these EU bodies and institutions are nonbinding on the EU Commission, all have been highly influential in finalizing the terms of the Privacy Shield. The results of the continued negotiations between EU and U.S. officials have culminated in a revised version of the Privacy Shield approved by the Article 31 Committee, a group of national representatives from the EU Member States, on July 7, 2016.

With the Article 31 Committee's "strong support" for the Privacy Shield, EU and U.S. officials announced the approval of the new trans-Atlantic agreement on July 12, 2016, and made the final amended text of the Privacy Shield publicly available. The official text of the Privacy Shield remains largely based on the original text published in February 2016; however, it also provides more clarity with respect to certain principles and incorporates recommendations from EU bodies and institutions on legal redress mechanisms available to EU data subjects, data retention restrictions, and the role of the U.S. Ombudsman, among others.2 The following highlights some of the key revisions to the Privacy Shield:

Privacy Shield and the EEA. Provided it is approved by the European Economic Area ("EEA") Joint Committee, the Privacy Shield will also apply to personal data transferred from members of EEA, including Iceland, Lichtenstein, and Norway, in addition to all EU Member States. Notably, the Privacy Shield does not apply to data transfers from Switzerland. Switzerland has yet to adopt its own version of the Privacy Shield—as it did with the Safe Harbor—to legitimize personal data transferred to the United States.

Scope of Application. The revised text confirms that the Privacy Principles apply to both data controllers and data processors (i.e., agents). Moreover, data processors must be "contractually bound to act only on instruction" from the EU data controller and must assist the data controller in responding to individuals' requests to exercise their rights under the Privacy Shield (e.g., access requests).

The Privacy Shield is Not a Proxy for Compliance with the GDPR. The amended text clarifies that the Privacy Shield applies only to personal data transferred by EU data controllers or data processors to U.S. organizations certifying compliance with the Privacy Shield. It is does not equate to compliance with EU legislation governing the processing of EU personal data within the European Union. In other words, Privacy Shield organizations must still assess whether they must also comply with the EU General Data Protection Regulation ("GDPR"), which comes into effect on May 25, 2018. Any Privacy Shield organization subject to the GDPR must also meet its broader requirements.

Privacy Shield Principles Revamped. The revised text of the Privacy Shield maintains the requirement that participating organizations commit to seven core Privacy Principles and 16 supplemental Principles. However, the final amended text revamps and elaborates upon a number of the core Privacy Shield Principles, largely in response to criticism with respect to the lack of clarity in the original text.

  • Data Integrity and Purpose Limitation Principle: This Principle requires organizations to ensure that data is accurate, complete, and current and that it is processed in a way that is compatible for the purpose(s) for which it was originally collected or subsequently authorized by data subjects. Under the Privacy Shield, organizations may retain personal data only for as long as it serves the purpose for which it was collected or subsequently authorized. Organizations may continue to process personal data for longer periods, but only for limited enumerated purposes such as archiving or journalism, among others. The language is largely consistent with the GDPR and may have a significant impact on companies seeking to retain data for analytics purposes.
  • Access Principle: The EU Commission's adequacy decision identifies certain U.S. federal laws covering specific sectors or data—such as mortgage offers, credit lending, and employment3—that provide protection against automated decisions that have an adverse effect on data subjects; however, the decision recognizes that there is an increased use of automated decisions and profiling not currently covered by U.S. law. The United States and the European Union have agreed to engage in continued dialogue on the similarities and differences in the EU and U.S. approach to automated decisions as part of the Privacy Shield annual reviews.
  • Accountability for Onward Transfer Principle: Under the Onward Transfer Principle, participating organizations can engage in onward transfers only if a contract with the third-party recipient is in place that requires the same level of protection guaranteed by the Privacy Principles. Data subjects also must be given notice of the transfer, and if the recipient is a third-party data controller, the subject can opt out of the transfer (or, in the case of sensitive data, must provide affirmative consent to the transfer). However, EU officials expressed concern that this Principle lacked clear guidance on regulating whether third-party recipients were adequately safeguarding data. The revised text now clarifies that the contract with the third-party recipient must require the recipient to notify the Privacy Shield organization when it can no longer meet the protection obligations. Specifically, contracts with a third-party controller must provide that the third party will either cease processing or take other reasonable and appropriate steps to remedy the situation. Conversely, if the contract is with a third-party processor (i.e., agent), it is the Privacy Shield organization that must take these measures. The Privacy Shield organization remains potentially liable for the actions of its processors (and subprocessors) unless they can demonstrate that they are not responsible for the damage caused.

Department of Commerce Increased Oversight. The new text of the Privacy Shield also reinforces the U.S. Department of Commerce's critical oversight role of the Privacy Shield, as it is tasked with: (i) maintaining and making publicly available a list of organizations participating in the Privacy Shield; (ii) systemically verifying that such organizations comply with the Privacy Principles; and (iii) removing those that have left the Privacy Shield either voluntarily or due to lack of compliance. Even when an organization has withdrawn, the Department of Commerce will still monitor departed organizations to verify that they have not only ceased all representations regarding Privacy Shield certification but also have returned or deleted all personal data processed under the framework, or otherwise continue to apply the Principles to such previously collected data.

In addition, the Department of Commerce will, on an ongoing basis, conduct ex-officio compliance reviews of self-certified organizations by asking organizations to respond to detailed questionnaires, or otherwise when there are specific complaints or credible evidence of noncompliance. This includes, for example, ensuring that organizations have registered with independent resolution bodies to ensure data subjects have access to recourse for potential noncompliance.

Redress, Enforcement, and Liability. The new text of the Privacy Shield was revised to provide clarity and further explanation on the recourse options available to EU data subjects, including a suggested "logical order" or sequence that data subjects can follow when pursuing available redress mechanisms. However, the revised text maintains the redress mechanisms established in the original draft text: individuals can still lodge a complaint directly to a self-certified organization, to an independent dispute resolution body designated by an organization, to a national data protection authority, or to an applicable U.S. regulator (e.g., the Federal Trade Commission). As a method of last resort, individuals can also invoke binding arbitration by the "Privacy Shield Panel," a pool of potential arbitrators designated by the Department of Commerce and the European Commission. Detailed discussion of the recourse options can be found here.

Access and Use by U.S. Intelligence and the Role of the Ombudsman. The most significant revisions to the Privacy Shield affect the issue of U.S. government access to European data.

The revised text includes additional assurances provided by the U.S. Office of the Director of National Intelligence ("ODNI"), which make explicit that intelligence collection should be "as tailored as feasible," and that the U.S. intelligence community should prioritize the availability of other alternatives over bulk collection. Moreover, according to assurances by the ODNI, bulk collection will be an exception and will be accompanied by additional safeguards, such as focusing collection on "specific, legitimate national security purposes" and using filters and other technical tools to limit data collection. Based on this analysis, the EU Commission asserts that these additional restrictions imposed on the access to EU personal data conform with the standards set forth in the ECJ's Schrems decision and EU Charter of Fundamental Rights.

Ombudsman. The amended text of the Privacy Shield now clarifies the independence of the Ombudsman to investigate claims and remedy noncompliance free from influence by the U.S. intelligence community. The Ombudsman was designed to provide EU citizens with another recourse mechanism to voice their concerns over the U.S. government's commitment to limits its access to EU personal data. Under the revised draft, the Ombudsman will rely on independent bodies to investigate surveillance complaints and to ensure that requests are processed and resolved in accordance with the law.

Brexit and the Privacy Shield

It is not clear whether—and to what extent—the Privacy Shield will remain in force in the United Kingdom in light of the country's recent decision to withdraw from the European Union. The United Kingdom is not expected to leave the European Union until at least May 2018, and to do so, it will need to invoke Article 50 of the Treaty on European Union, which commences withdrawal proceedings. Until then, organizations can rely on the Privacy Shield to transfer data from the United Kingdom to the United States. Whether organizations can continue to use the Privacy Shield once the United Kingdom formally severs its EU membership will largely depend on the details of the United Kingdom's relationship with the European Union. The United Kingdom could, for example, remain inside the EEA, and as a result, data transfers under the Privacy Shield could continue to flow to the United States from the United Kingdom. If it enters under different arrangements, it would need to agree on appropriate bilateral arrangements. Transfers of UK personal data to the United States under the Privacy Shield after Brexit will remain uncertain until the United Kingdom's overall relationship with the European Union is resolved.

What this Means for Business

Businesses will now have to evaluate the revamped Privacy Shield and assess whether compliance with the new framework is the best—and most practical—option to access EU personal data in the United States. Following the invalidation of the Safe Harbor, many businesses that previously relied on the defunct framework invested considerable time and resources to comply with alternative data-transfer mechanisms, including standard contractual clauses or Binding Corporate Rules. Businesses using these alternate mechanisms must take into account whether it makes good business sense to revert back to a Safe Harbor 2.0—including revising their privacy policies and third-party data-transfer agreements to meet the Privacy Shield Principles.

For companies eager to certify compliance, there is a nine-month "grace period" for those organizations that self-certify within the two months following the Privacy Shield's effective date in order to modify existing contractual arrangements with third parties and bring them into "conformity with the accountability for onward transfer principle." Organizations must still, however, apply the Notice and Choice Privacy Principles and ensure that third-party recipients can provide the same level of protection guaranteed by the Privacy Principles.

Organizations that maintained their Safe Harbor certification may find an easier transition back to the Privacy Shield. The self-certification process is reminiscent of the Safe Harbor program, and given the overlap between the Safe Harbor and Privacy Shield principles, organizations previously Safe Harbor-certified may find the compliance requirements familiar, albeit more stringent. Still, even those organizations considering certifying compliance with the Privacy Shield within the first two months must be prepared to engage in expedient negotiations with service providers to revise their data processing agreements in conformance with Privacy Shield Principles. Those organizations failing to do so within the prescribed nine-month grace period may find themselves the first subjects of FTC enforcement and corresponding penalties.

The Article 29 Working Party is expected to weigh in on the Privacy Shield's amended text on July 25, 2016. Although their opinion is nonbinding, it will provide key insight into whether Europe's data protection authorities view the Privacy Shield as a robust data-transfer mechanism. Businesses considering the Privacy Shield also should expect privacy advocates and others to challenge the legality and viability of the Privacy Shield in court. In particular, it remains to be seen whether the additional assurances on bulk collection and access by U.S. intelligence agencies will satisfy EU courts. Other methods for transferring personal data across the Atlantic are also facing legal scrutiny. In late May 2016, the Irish Data Protection Commissioner said that it planned to ask national courts to request a preliminary ruling from the European Court of Justice ("ECJ") to review the validity of standard contractual clauses used by Facebook and a countless number of other companies to transfer personal data outside the European Union.4 An adverse decision from the ECJ may have a reverberating impact on the Privacy Shield and cross-border data flows generally.

Although there will likely be challenges, the approval of the Privacy Shield signals the end—at least for now—of a long period of uncertainty for the business community. Companies will now have another alternative to legally transfer EU personal data to the United States, in addition to standard contractual clauses and Binding Corporate Rules.


[1] See Jones Day Commentary, "' EU–U.S. Privacy Shield' to Replace 'Safe Harbor'" (Feb. 2016).

[2] See "Commission Implementing Decision Regarding the Adequacy of the Protection Provided by the European Union-U.S. Privacy Shield."

[3] Including the Equal Credit Reporting Act, 15 U.S.C. § 1691, et seq.; the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq., or the Fair Housing Act, 42 U.S.C. § 3601 et seq.

[4] Standard contractual clauses are essentially pre-adhesion contracts approved by the EU Commission to transfer personal data to non-EU data controllers and data processors.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Mauricio F. Paez
Laurent De Muyter
Undine von Diemar
In association with
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at and we will use commercially reasonable efforts to determine and correct the problem promptly.