European Union: The EU–U.S. Privacy Shield Approved

After months of criticism from various EU bodies and institutions, the much-anticipated EU–U.S. Privacy Shield finally has been approved by the European Commission, paving the way for self-certifying U.S. organizations to transfer legally EU personal data across the Atlantic. The adoption of this new framework ends months of uncertainty for thousands of companies that relied on the Privacy Shield's predecessor, the Safe Harbor Program, to transfer EU personal data across the Atlantic. The terms of the Privacy Shield are expected to be published in the U.S. Federal Register by mid-August 2016. Companies interested in self-certifying compliance with this new trans-Atlantic data-transfer framework can do so beginning August 1, 2016, when the Department of Commerce will begin accepting certifications. Now is the time for companies to consider whether certifying with the Privacy Shield is the best option for their business.


EU and U.S. officials released the details of the new "Privacy Shield" framework in February 2016 to replace the Safe Harbor with a more robust and comprehensive trans-Atlantic data- transfer scheme. The European Court of Justice ("ECJ") invalidated the Safe Harbor program in its October 6, 2015, Schrems decision, ruling that it failed to provide an adequate level protection to personal data transferred from the European Union to the United States.1

Following its release, the Privacy Shield immediately became the subject of intense scrutiny, particularly by the Article 29 Working Party ("Working Party"), the European Parliament, and the European Data Protection Supervisor. All heralded the Privacy Shield as a positive step in the right direction, but they identified several deficiencies in the terms of the new framework and called for clarity and improvement. In particular, the Privacy Shield was heavily criticized for the complexity of the redress system, the need for more substantive detail on data retention restrictions, the apparent lack of independence of the proposed U.S. Privacy Shield Ombudsman, and overall uncertainty as to whether the U.S. government's "written assurances" would sufficiently safeguard against "massive and indiscriminate collection" of EU personal data by U.S. authorities. Privacy advocates, moreover, vowed to challenge the Privacy Shield for failing to adequately address and protect EU personal data from unfettered access by the U.S. intelligence community.

While the opinions of these EU bodies and institutions are nonbinding on the EU Commission, all have been highly influential in finalizing the terms of the Privacy Shield. The results of the continued negotiations between EU and U.S. officials have culminated in a revised version of the Privacy Shield approved by the Article 31 Committee, a group of national representatives from the EU Member States, on July 7, 2016.

With the Article 31 Committee's "strong support" for the Privacy Shield, EU and U.S. officials announced the approval of the new trans-Atlantic agreement on July 12, 2016, and made the final amended text of the Privacy Shield publicly available. The official text of the Privacy Shield remains largely based on the original text published in February 2016; however, it also provides more clarity with respect to certain principles and incorporates recommendations from EU bodies and institutions on legal redress mechanisms available to EU data subjects, data retention restrictions, and the role of the U.S. Ombudsman, among others.2 The following highlights some of the key revisions to the Privacy Shield:

Privacy Shield and the EEA. Provided it is approved by the European Economic Area ("EEA") Joint Committee, the Privacy Shield will also apply to personal data transferred from members of EEA, including Iceland, Lichtenstein, and Norway, in addition to all EU Member States. Notably, the Privacy Shield does not apply to data transfers from Switzerland. Switzerland has yet to adopt its own version of the Privacy Shield—as it did with the Safe Harbor—to legitimize personal data transferred to the United States.

Scope of Application. The revised text confirms that the Privacy Principles apply to both data controllers and data processors (i.e., agents). Moreover, data processors must be "contractually bound to act only on instruction" from the EU data controller and must assist the data controller in responding to individuals' requests to exercise their rights under the Privacy Shield (e.g., access requests).

The Privacy Shield is Not a Proxy for Compliance with the GDPR. The amended text clarifies that the Privacy Shield applies only to personal data transferred by EU data controllers or data processors to U.S. organizations certifying compliance with the Privacy Shield. It is does not equate to compliance with EU legislation governing the processing of EU personal data within the European Union. In other words, Privacy Shield organizations must still assess whether they must also comply with the EU General Data Protection Regulation ("GDPR"), which comes into effect on May 25, 2018. Any Privacy Shield organization subject to the GDPR must also meet its broader requirements.

Privacy Shield Principles Revamped. The revised text of the Privacy Shield maintains the requirement that participating organizations commit to seven core Privacy Principles and 16 supplemental Principles. However, the final amended text revamps and elaborates upon a number of the core Privacy Shield Principles, largely in response to criticism with respect to the lack of clarity in the original text.

  • Data Integrity and Purpose Limitation Principle: This Principle requires organizations to ensure that data is accurate, complete, and current and that it is processed in a way that is compatible for the purpose(s) for which it was originally collected or subsequently authorized by data subjects. Under the Privacy Shield, organizations may retain personal data only for as long as it serves the purpose for which it was collected or subsequently authorized. Organizations may continue to process personal data for longer periods, but only for limited enumerated purposes such as archiving or journalism, among others. The language is largely consistent with the GDPR and may have a significant impact on companies seeking to retain data for analytics purposes.
  • Access Principle: The EU Commission's adequacy decision identifies certain U.S. federal laws covering specific sectors or data—such as mortgage offers, credit lending, and employment3—that provide protection against automated decisions that have an adverse effect on data subjects; however, the decision recognizes that there is an increased use of automated decisions and profiling not currently covered by U.S. law. The United States and the European Union have agreed to engage in continued dialogue on the similarities and differences in the EU and U.S. approach to automated decisions as part of the Privacy Shield annual reviews.
  • Accountability for Onward Transfer Principle: Under the Onward Transfer Principle, participating organizations can engage in onward transfers only if a contract with the third-party recipient is in place that requires the same level of protection guaranteed by the Privacy Principles. Data subjects also must be given notice of the transfer, and if the recipient is a third-party data controller, the subject can opt out of the transfer (or, in the case of sensitive data, must provide affirmative consent to the transfer). However, EU officials expressed concern that this Principle lacked clear guidance on regulating whether third-party recipients were adequately safeguarding data. The revised text now clarifies that the contract with the third-party recipient must require the recipient to notify the Privacy Shield organization when it can no longer meet the protection obligations. Specifically, contracts with a third-party controller must provide that the third party will either cease processing or take other reasonable and appropriate steps to remedy the situation. Conversely, if the contract is with a third-party processor (i.e., agent), it is the Privacy Shield organization that must take these measures. The Privacy Shield organization remains potentially liable for the actions of its processors (and subprocessors) unless they can demonstrate that they are not responsible for the damage caused.

Department of Commerce Increased Oversight. The new text of the Privacy Shield also reinforces the U.S. Department of Commerce's critical oversight role of the Privacy Shield, as it is tasked with: (i) maintaining and making publicly available a list of organizations participating in the Privacy Shield; (ii) systemically verifying that such organizations comply with the Privacy Principles; and (iii) removing those that have left the Privacy Shield either voluntarily or due to lack of compliance. Even when an organization has withdrawn, the Department of Commerce will still monitor departed organizations to verify that they have not only ceased all representations regarding Privacy Shield certification but also have returned or deleted all personal data processed under the framework, or otherwise continue to apply the Principles to such previously collected data.

In addition, the Department of Commerce will, on an ongoing basis, conduct ex-officio compliance reviews of self-certified organizations by asking organizations to respond to detailed questionnaires, or otherwise when there are specific complaints or credible evidence of noncompliance. This includes, for example, ensuring that organizations have registered with independent resolution bodies to ensure data subjects have access to recourse for potential noncompliance.

Redress, Enforcement, and Liability. The new text of the Privacy Shield was revised to provide clarity and further explanation on the recourse options available to EU data subjects, including a suggested "logical order" or sequence that data subjects can follow when pursuing available redress mechanisms. However, the revised text maintains the redress mechanisms established in the original draft text: individuals can still lodge a complaint directly to a self-certified organization, to an independent dispute resolution body designated by an organization, to a national data protection authority, or to an applicable U.S. regulator (e.g., the Federal Trade Commission). As a method of last resort, individuals can also invoke binding arbitration by the "Privacy Shield Panel," a pool of potential arbitrators designated by the Department of Commerce and the European Commission. Detailed discussion of the recourse options can be found here.

Access and Use by U.S. Intelligence and the Role of the Ombudsman. The most significant revisions to the Privacy Shield affect the issue of U.S. government access to European data.

The revised text includes additional assurances provided by the U.S. Office of the Director of National Intelligence ("ODNI"), which make explicit that intelligence collection should be "as tailored as feasible," and that the U.S. intelligence community should prioritize the availability of other alternatives over bulk collection. Moreover, according to assurances by the ODNI, bulk collection will be an exception and will be accompanied by additional safeguards, such as focusing collection on "specific, legitimate national security purposes" and using filters and other technical tools to limit data collection. Based on this analysis, the EU Commission asserts that these additional restrictions imposed on the access to EU personal data conform with the standards set forth in the ECJ's Schrems decision and EU Charter of Fundamental Rights.

Ombudsman. The amended text of the Privacy Shield now clarifies the independence of the Ombudsman to investigate claims and remedy noncompliance free from influence by the U.S. intelligence community. The Ombudsman was designed to provide EU citizens with another recourse mechanism to voice their concerns over the U.S. government's commitment to limits its access to EU personal data. Under the revised draft, the Ombudsman will rely on independent bodies to investigate surveillance complaints and to ensure that requests are processed and resolved in accordance with the law.

Brexit and the Privacy Shield

It is not clear whether—and to what extent—the Privacy Shield will remain in force in the United Kingdom in light of the country's recent decision to withdraw from the European Union. The United Kingdom is not expected to leave the European Union until at least May 2018, and to do so, it will need to invoke Article 50 of the Treaty on European Union, which commences withdrawal proceedings. Until then, organizations can rely on the Privacy Shield to transfer data from the United Kingdom to the United States. Whether organizations can continue to use the Privacy Shield once the United Kingdom formally severs its EU membership will largely depend on the details of the United Kingdom's relationship with the European Union. The United Kingdom could, for example, remain inside the EEA, and as a result, data transfers under the Privacy Shield could continue to flow to the United States from the United Kingdom. If it enters under different arrangements, it would need to agree on appropriate bilateral arrangements. Transfers of UK personal data to the United States under the Privacy Shield after Brexit will remain uncertain until the United Kingdom's overall relationship with the European Union is resolved.

What this Means for Business

Businesses will now have to evaluate the revamped Privacy Shield and assess whether compliance with the new framework is the best—and most practical—option to access EU personal data in the United States. Following the invalidation of the Safe Harbor, many businesses that previously relied on the defunct framework invested considerable time and resources to comply with alternative data-transfer mechanisms, including standard contractual clauses or Binding Corporate Rules. Businesses using these alternate mechanisms must take into account whether it makes good business sense to revert back to a Safe Harbor 2.0—including revising their privacy policies and third-party data-transfer agreements to meet the Privacy Shield Principles.

For companies eager to certify compliance, there is a nine-month "grace period" for those organizations that self-certify within the two months following the Privacy Shield's effective date in order to modify existing contractual arrangements with third parties and bring them into "conformity with the accountability for onward transfer principle." Organizations must still, however, apply the Notice and Choice Privacy Principles and ensure that third-party recipients can provide the same level of protection guaranteed by the Privacy Principles.

Organizations that maintained their Safe Harbor certification may find an easier transition back to the Privacy Shield. The self-certification process is reminiscent of the Safe Harbor program, and given the overlap between the Safe Harbor and Privacy Shield principles, organizations previously Safe Harbor-certified may find the compliance requirements familiar, albeit more stringent. Still, even those organizations considering certifying compliance with the Privacy Shield within the first two months must be prepared to engage in expedient negotiations with service providers to revise their data processing agreements in conformance with Privacy Shield Principles. Those organizations failing to do so within the prescribed nine-month grace period may find themselves the first subjects of FTC enforcement and corresponding penalties.

The Article 29 Working Party is expected to weigh in on the Privacy Shield's amended text on July 25, 2016. Although their opinion is nonbinding, it will provide key insight into whether Europe's data protection authorities view the Privacy Shield as a robust data-transfer mechanism. Businesses considering the Privacy Shield also should expect privacy advocates and others to challenge the legality and viability of the Privacy Shield in court. In particular, it remains to be seen whether the additional assurances on bulk collection and access by U.S. intelligence agencies will satisfy EU courts. Other methods for transferring personal data across the Atlantic are also facing legal scrutiny. In late May 2016, the Irish Data Protection Commissioner said that it planned to ask national courts to request a preliminary ruling from the European Court of Justice ("ECJ") to review the validity of standard contractual clauses used by Facebook and a countless number of other companies to transfer personal data outside the European Union.4 An adverse decision from the ECJ may have a reverberating impact on the Privacy Shield and cross-border data flows generally.

Although there will likely be challenges, the approval of the Privacy Shield signals the end—at least for now—of a long period of uncertainty for the business community. Companies will now have another alternative to legally transfer EU personal data to the United States, in addition to standard contractual clauses and Binding Corporate Rules.


[1] See Jones Day Commentary, "' EU–U.S. Privacy Shield' to Replace 'Safe Harbor'" (Feb. 2016).

[2] See "Commission Implementing Decision Regarding the Adequacy of the Protection Provided by the European Union-U.S. Privacy Shield."

[3] Including the Equal Credit Reporting Act, 15 U.S.C. § 1691, et seq.; the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq., or the Fair Housing Act, 42 U.S.C. § 3601 et seq.

[4] Standard contractual clauses are essentially pre-adhesion contracts approved by the EU Commission to transfer personal data to non-EU data controllers and data processors.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Mauricio F. Paez
Laurent De Muyter
Undine von Diemar
Similar Articles
Relevancy Powered by MondaqAI
Reed Smith
Lewis Brisbois Bisgaard & Smith LLP
Frankfurt Kurnit Klein & Selz
In association with
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Reed Smith
Lewis Brisbois Bisgaard & Smith LLP
Frankfurt Kurnit Klein & Selz
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions