+4 votes
in Digital law by (80.9k points)
Privacy Shield: the controversial data transfer agreement between the EU and the US

1 Answer

+5 votes
by (536k points)
Best answer

The current situation: what implications does the end of the Privacy Shield agreement have?
What is the Privacy Shield agreement between the EU and the US?
Content and general conditions of the Privacy Shield
Privacy Shield: pros and cons
The practical application of the Privacy Shield
Conclusion: a transitional regulation without a solid foundation.


Privacy Shield: the controversial data transfer agreement between the EU and the US

The Privacy Shield agreement between the EU and the US regulated the transfer of personal data from the EU to the US from 2016 to 2020. This agreement was declared void in July 2020 (Schrems II judgment), for not being able to guarantee data protection in accordance with the RGPD. Until new regulations come into force, companies are subject to stricter measures and, if they want to avoid being penalized, they must improve data protection in the US..

  1. The current situation: what implications does the end of the Privacy Shield agreement have?
  2. What is the Privacy Shield agreement between the EU and the US?
  3. Content and general conditions of the Privacy Shield
  4. Privacy Shield: pros and cons
  5. The practical application of the Privacy Shield
  6. Conclusion: a transitional regulation without a solid foundation.

The current situation: what implications does the end of the Privacy Shield agreement have?

Although the Privacy Shield was declared void, companies can continue to export personal data to the US. To do this they can continue to use the EU Standard Contractual Clauses (SCC). SMEs, which until now relied on this agreement, can now turn to standard EU contractual clauses or other alternatives . Some companies will need to consider Binding Corporate Rules (BCR).


The Binding Corporate Rules are used by multinationals and other companies with an international presence to establish rules that govern the transfer of personal data at the corporate level. Once authorization has been received from the regulatory entity, it is guaranteed that these rules comply with the data protection guarantees at European level. The RGPD establishes the requirements and requirements of the BCR in article 47..

However, according to the Schrems II ruling , the use of standard contractual clauses entails adhering to stricter regulations : companies must introduce additional measures and in principle treat each data transfer as a particular case , and must ensure that each country has a sufficient level of data protection. If this condition is not met, for example, due to security legislation in that country, the company is obliged to stop the transfer of data.

Furthermore, these standard clauses are subject to inspection by the European supervisory and data protection bodies . If the legal situation of a country prevents the recipient of the data from complying with its obligations under the standard clauses, the data transfer may be interrupted or even prohibited. The whole process must be taken into account when analyzing the level of data protection. It must be ensured at all times that, for example, the judicial or national security authorities of the host country do not have access to personal data..

In the current situation, case-by-case assessment is particularly difficult for SMEs as they usually do not have the technical knowledge and the means to verify in detail whether there is, for example, an adequate level of data protection in a third country . Furthermore, the CJEU ruling does not specify exactly what rules will apply specifically to individual case evaluations or possible extensions to standard contractual clauses.

SMEs should still actively address the issue. Legal experts advise taking the greatest possible precautions and documenting in detail the data protection procedures that apply. Companies will thus be prepared for a possible legal dispute and will be able to better defend their own actions in court once the Privacy Shield is terminated.

A concrete protection measure is to carefully apply the formal aspects of the general data protection clauses (for example, by means of a detailed description of the data flows). Furthermore, only absolutely necessary personal data should be collected and transmitted. In addition, legal experts recommend conducting a well-founded and well-documented risk analysis that considers relevant issues. For example, the legal situation in the United States or in countries outside the EU should be thoroughly analyzed and the likelihood of unauthorized access to data assessed.

Furthermore, it should be clarified whether, given the current situation, the recipient of the data assumes additional contractual obligations (eg increased monitoring and reporting obligations). In the current situation, companies could also require their business partners and service providers in the United States to use all available technical means in order to optimize data protection - for example, the use of end-to-end encryption in a video conferencing software.

Those who can renounce data transfers, cloud services and servers in third countries outside the EU, should look for alternatives in the EU that comply with the regulations of the General Data Protection Regulation (RGPD) . In addition, they should also closely monitor developments concerning data protection legislation . The European Data Protection Committee (CEPD) reports on the current situation in its frequently asked questions about the CJEU ruling on the Privacy Shield agreement.

What is the Privacy Shield agreement between the EU and the US?

The Privacy Shield was officially introduced in mid-2016 as the successor to the Safe Harbor data transfer agreement between the European Union and the United States. The aim of the agreement was to protect the data of European citizens that is stored and processed by companies based in the USA after having been transferred to this country. This refers exclusively to personal data , which, for example, is largely collected in online commerce. Personal data includes phone numbers, customer numbers, credit cards, account data, physical appearances or addresses of EU citizens, among others.

The successor to the Safe Harbor agreement ceased to be in force in July 2020 after a ruling by the CJEU. In the so-called Schrems II judgment of July 16, 2020, the CJEU rules that the level of security required in the RGPD is not reached in personal data stored and processed in the USA .


The General Data Protection Regulation was approved in the European Parliament by a large majority on April 14, 2016, and entered into force on May 25, 2018 after a two-year transition phase.

In doing so, the CJEU also overturned the European Commission's adequacy finding , which repeatedly confirmed that the US had a sufficient level of data protection. The CJEU ruling followed a lawsuit filed by data protection expert Maximilian Schrems , which had already led to the end of the Safe Harbor agreement with a previous lawsuit. The Austrian wanted to prohibit Facebook Ireland from transferring his personal data to the United States and had filed a complaint with the Irish data protection authority. When the Irish High Court of Justice did not initiate any proceedings, Schrems sued him. In the second case, the Irish data protection authority referred the matter to the Court of Justice of the European Union for legal review, which eventually annulled the Privacy Shield agreement between the EU and the US.

Content and general conditions of the Privacy Shield

The successor to Safe Harbor was based on special data protection measures and regulations that had to be followed by the US. An important element was that American companies could be certified for the Privacy Shield . After a US company voluntarily submitted to the terms of the agreement, an inspection was carried out by the US Department of Commerce. Once a company had completed the process successfully, its name was included in a freely accessible database. When the agreement ended, the list included a total of 5,384 organizations .

The Privacy Shield agreement between the EU and the US guaranteed EU citizens broad rights when their personal data was transferred to certified companies in the US. EU citizens could contact US companies directly to claim their rights. These companies had to respond to citizen requests within 45 days. The rights guaranteed in the Privacy Shield were the following:

  • Right to information
  • Right to appeal (an objection to data processing could be made, if necessary)
  • Right to correct inaccurate data
  • Right to erasure of data
  • Complaint procedures were available

To ensure compliance with the agreement and protection of their rights, EU citizens could also turn to an Ombudsman within the US Department of State . The Ombudsman had to be independent from all intelligence services, investigate the demands of individuals and in specific cases provide information on whether current legislation was being respected. However, the position was initially vacant and was not filled until 2018 despite the insistence of the EU . Manisha Singh initially worked as the Ombudsman, followed by Keith Krach in June 2019.

Alternatively, EU citizens could also contact their respective national data protection authorities , who in turn could contact the US Federal Trade Commission (FTC) for further clarification. The arbitration procedure with an enforceable arbitration award was the last resort in case a mutual agreement was not reached. All companies could also act in accordance with the recommendations of the European data protection authorities . Companies that process personal data, in the same way, are obliged to do so.

A prerequisite for the validity of the Privacy Shield agreement was an adequacy decision by the European Commission certifying that the United States had adequate data protection regulations for the storage and processing of personal data from the EU. The 2016 Adequacy Decision was reviewed annually and renewed if the required level of data protection was met . The European Commission and the United States Department of Commerce carried out the review jointly, also with the participation of professionals. The procedure resulted in a public report that was presented to the European Parliament and Council.

Despite these extensive data protection measures, there was no certainty that mass surveillance did not exist. The United States could still collect data for six purposes, which, when examined closely, leave some room for interpretation:

  • The fight against terrorism
  • The revelation of activities of foreign powers
  • Fighting the proliferation of weapons of mass destruction
  • Cybersecurity
  • Protecting the U.S. and Allied Forces
  • Fighting international criminal threats

Privacy Shield: pros and cons

The broad rights of European citizens to lodge complaints with various bodies in the event of data protection breaches by US companies was one of the benefits of the Privacy Shield agreement. An important component was also the purpose limitation principle . The data could only be recorded and processed for a clearly defined in advance and legally permissible purpose.

However, the Privacy Shield agreement between the EU and the US was opposed from the start . For critics, the agreement was not broad enough. They claimed that the requirements of the CJEU were not sufficiently met and that many inconsistencies were hidden. Given that the position of Ombudsman was assigned to the Ministry of Foreign Affairs , critics considered that the agreement lacked institutional independence and interpreted it as a conflict with the basic data protection regulations (Article 52 para. 1 of the GDPR). They also criticized the fact that affected EU citizens were unable to take legal action against the decisions of the Ombudsman's office.

Another major criticism was that the mass surveillance measures were not subject to a proportionality test and therefore violated European law. The United States remained the central supervisory power and there was no evidence of an investigation by the supervisory authorities. Critics also missed an urgent check on America's big online companies.

Following these shortcomings, critics and experts assumed that the agreement would not withstand an in-depth review by the CJEU , and therefore was not a durable solution. Minor differences from the Safe Harbor agreement were repeatedly pointed out. Numerous critics denounced that the Privacy Shield agreement did not make up for the shortcomings of the previous law.

The practical application of the Privacy Shield

The abrupt end of the Safe Harbor agreement gave rise to a feeling of uncertainty in the business world . Penalties were feared if breaches of data protection were found during an inspection. In addition, the new rules meant an investment of time and money for companies to adapt to the new data protection regulation.

A large number of companies adopted the standard EU contractual clauses at that time , or used these as an extension of the Safe Harbor agreement (eg Facebook). This practice increased during the transition phase towards the Privacy Shield agreement between the EU and the US and was maintained for as long as it remained in force. And is that companies did not want to rely solely on an agreement on data protection that, like its predecessor, failed to eliminate conflicts and basic data protection problems.

Annual inspections, often pointing to the end of the deal, reinforced that mistrust. The alternative or parallel use of standard contractual clauses was also a reaction to the poor implementation of the main points of the Privacy Shield agreement in the US. An example was the extremely long delay in filling the position of Ombudsman.

Conclusion: a transitional regulation without a solid foundation.

Since the entry into force of the RGPD, international data protection agreements have it difficult. The Privacy Shield ended up being merely a transitional regulation , which only temporarily introduced a binding legal framework for the international transfer of personal data and which, after being eliminated, was above all a good deal of confusion and confusion for the affected companies.

The fate of the Privacy Shield shows that the fundamental problems of data protection in a context of increasing digitization cannot be camouflaged, but must be permanently corrected within the framework of the GDPR. Otherwise, long-term business models that operate with personal data at an international level would lose their foundation.

There are already signs of a growing awareness of data protection in the US, and with it an approach to the principles of the GDPR, as shown by the California Consumer Privacy Act (CCPA). That the high level of demand of the premises of the RGPD make it a globally adopted standard for digital commerce seems quite doubtful at the moment, at least judging by the enormous differences in terms of the treatment of personal data at a global level.

The RGPD, which is currently being expanded by other European data protection regulations , such as the Electronic Privacy Regulation and directives such as the Guide on the use of cookies, could reveal itself as a growing point of conflict for business relations at an international level. .

Please take into account the legal notice related to this article.