What is the EU-US Privacy Shield?

EU-US Privacy Shield is an agreement whose purpose is to regulate the exchange of citizens’ personal data in a commercial setting between US companies and citizens of European Union countries, taking into account the strict laws of the European Union, which aim to protect the data of European Union citizens. Known as GDPR, the General Data Protection Regulation ensures strict protection of EU citizens’ data, which prevents the sharing or selling of this data between companies.

Many American companies do business in the European Union, which makes these companies subject to EU laws, including laws governing the exchange of citizens’ data. Under the GDPR, US companies face great difficulties in sharing data with EU citizens.

Some countries outside the European Union have weak data protection laws and are not close to those of the European Union. This makes sharing EU citizens’ data with foreign companies a barrier for countries that have strict data protection laws equivalent or close to those of the EU (such as Canada and Argentina). We note that the United States is not one of these countries, so there is a gap between the laws in the United States related to the protection of personal data privacy and the laws in the EU (GDPR).

Why do we need the privacy shield?

In October 1988, the European Commission’s Data Protection Directive was implemented, which prevents the transfer of data from the European Union to countries outside the European Union whose laws do not comply with European Union data sharing and protection laws (and, of course, from those countries to the United States). Thus, both the US Department of Commerce and the European Commission are establishing EU-US Privacy Shield, which in turn, enables the transfer of personal data between companies on both sides of the Atlantic in a way that does not conflict with the EU General Data Protection Regulation (GDPR).

As for the transfer of US citizens’ data to EU companies, this is included in the agreement, although it is not an obstacle and was not a major reason for the creation of the EU-US privacy shield. That’s because data sharing and regulatory laws in the United States are not as stringent as those in the European Union to protect data privacy, which gives EU companies some freedom to share data of US citizens without the need for this agreement. The main reason for the agreement is the inability of US companies to access certain data of European citizens, and this is because it contravenes the EU’s General Data Protection Regulation (GDPR).

We can therefore say that The Privacy Shield is a program aimed at trying to bridge the gap in data privacy laws between the European Union and the United States, which allows American companies to see some of the personal information of European Union citizens.

Why do we need a privacy policy?

International law requires the protection of the privacy of individuals’ personal data. It is also necessary for customers who decide to use the services of US companies to guarantee their right to data privacy. Without the privacy shield, trade between the United States and the European Union would be halted.

Main points and principles of the EU-US Privacy Shield

The U.S. Department of Commerce has developed numerous principles and laws to meet the requirements and conditions of the European Union, and in an attempt to avoid the reasons that led to the elimination of the international Safe Harbor privacy principles, these principles and frameworks include:

EU records and principles for individuals:

  • Individuals have the right to file a complaint directly with Privacy Shield participants, and the Privacy Shield organization must respond to the complaint within 45 days.
  • Participants in the Privacy Shield must provide, free of charge, a mechanism for the examination and resolution of issues raised by citizens. If an individual files a complaint directly with the EU Data Protection Authority (DPA), the US Department of Commerce is required to receive, review and resolve the complaint and respond to the citizen within 90 days. The U.S. Federal Trade Commission (FTC) has committed to assisting and supporting data protection authorities (DPAs), including sharing information and assisting with investigations.
  • EU citizens have the right to file complaints in US courts and to challenge them in some cases. The organization participating in the program must inform citizens about its participation in the privacy shield, the types of data that will be collected and shared about individuals, the purposes for which the data is collected and shared, and provide a source for filing complaints, such as a link or phone number.
  • Citizens have the right to choose whether or not their personal data will be used for purposes other than those agreed.
  • When it comes to sensitive and private information, such as special health conditions, ethnic origins, political or religious views, the organisation must obtain written permission fromthe data subject to share the data with a third party or to use it for purposes other than those for which it was collected. When sharing sensitive personal data, such as those mentioned above, the organization participating in the Privacy Shield program is required to enter into a contract with the third party with whom the data will be shared. That contract stipulates that the data will not be used for purposes other than those for which it was collected and provides for the same level of protection that has been promised by the Privacy Shield organization.
  • Individuals have the right to access, amend or delete their information if it has been processed incorrectly by the participating organisation. The participating organisation must clarify the purposes for which individuals’ data will be shared and used.

We recommend reading more about
the rights of data subjects
 in our article outlining these rights conferred by the GDPR both from the point of view of the individual and the obligation of the controller to confer them.

Principles and key points of cooperation with EU ODA:

The U.S. Department of Commerce is committed to doing everything possible to implement principles and laws that will help make the EU-U.S. Privacy Shield program a success, which will include principles that protect the privacy of individuals and laws aimed at increasing cooperation with European Union data protection authorities (DPAs). The most important of these principles and laws are:

  • Follow up with companies that have been members of the Privacy Shield program and have terminated their membership or decided to opt out of the agreement to ensure that they continue to comply with the laws of the program and do not misuse individuals’ data.
  • Following up on false accusations made by some organisations and companies about joining the programme and taking the necessary legal steps to deal with these accusations.
  • Providing a permanent and direct link between the European Union’s Data Protection Authority (DPA) and the US Department of Commerce, which is committed to doing its utmost to receive any complaints and resolve any problems.
  • Assist the European Union Data Protection Authorities (DPAs) by providing any information related to the participants and the Privacy Shield framework.
  • The Privacy Shield program will ensure a firm commitment by companies that manage citizens’ personal data to maintain the privacy of individuals, and the U.S. Department of Commerce has committed to provide oversight and monitoring of these companies and organizations and to report annually. For any citizen who believes their data has been used illegally, the Privacy Shield program guarantees numerous mechanisms to reclaim their right, with uncomplicated procedures at cheap prices.

How can companies benefit from the EU-US Privacy Shield?

Although many investors may consider that privacy shielding has many negative effects on their companies and organisations, if we look carefully, we can see that there can be some benefits for the company that benefits from privacy shielding.

Those agreements that guarantee consumer privacy help increase the level of trust between the consumer and the organisation, which also leads to more new customers deciding to buy the company’s services.

Companies will be able to bypass the enforcement of contractual clauses at the time of transfer, which will save a lot of time (which could be up to several months) and make the transfer process much faster. This is because Privacy Shield transfers do not require prior authorisation from or notification to 65% of EU data protection authorities.

Data transfer based on the Privacy Shield does not need continuous updates and signatures on each new contract, which will save a lot of paperwork.

Institutions and companies have the choice whether or not to participate in the privacy shield, but they do not have the choice to choose to comply with EU laws to protect citizens’ data. This means that non-participating companies will not be able to obtain information about their customers in the European Union.

Need help implementing GDPR?
Use our online GDPR consulting services.

  • We assess your risks in every detail

  • We assist you step by step in implementation

  • We train your employees who process data

  • We provide you with standardised procedures and documents

Privacy Shield history from 2016 to 2.0

The topic is not new, nor has it been created recently, but there are old laws and attempts to bridge the gap between data privacy laws in the United States and the European Union. We are referring here in particular to what is known as the Safe Harbor International Privacy Principles Agreement, a program that was created and developed between 1998 and 2000. Its objectives and principles are very similar to the Privacy Shield, as it aims to provide protection for EU citizens’ data that is shared with US companies for commercial purposes.

On 6 October 2015, the European Court of Justice (ECJ) invalidated the International Safe Harbor Privacy Principles. This is known as Schrems I. After that, a new attempt begins to find a solution or agreement whereby European individuals’ data can be shared with US companies in a way that does not conflict with the General Data Protection Regulation (GDPR). We can therefore say that the Privacy Shield was an extension or an alternative to the international Safe Harbor privacy principles, with an attempt to correct the errors that led to the termination of the agreement.

Here are some of the changes that have been made in an attempt to avoid shutting down the program again:

  • Enforcement of stricter laws for participating organisations.
  • Individuals have the right to take action, such as complete deletion of data from participating organisations.
  • The data may not be used for purposes other than those for which they were collected and for which the citizen must also be aware from the outset of these purposes.
  • Privacy Shield participating organisations provide mechanisms to discuss and resolve complaints free of charge.

With all these efforts and changes between the international Safe Harbor privacy principles and the Privacy Shield, the court (which is the same one that stopped the old agreement) stopped the Privacy Shield on July 16, 2020, in what is known as Schrems II.

Schrems II

Why is the Privacy Shield program suspended?

The suspension is due to three main reasons:

  1. The first reason is the so-called“Adequacy Decision“. It is a law (of conditions set by the Court of Justice of the European Union – CJEU) that there must be laws protecting the privacy of individuals in countries that will deal commercially with EU citizens, laws equivalent or at least close to those in the European Union (GPDR), and while there are some countries that meet this condition, such as Canada, Argentina and many other countries, the United States is not one of those countries.
  1. The second reason is the US Surveillance Act. It is a law in the US Constitution and it clearly states that US authorities have the right to monitor any data for security purposes, such as discovering any threat to the US military or confronting terrorism or any goal of causing unrest in the country. In Schrems II, the CJEU addressed the validity of the SCCs as well as the European Commission’s finding on the adequacy of Safe Harbour. On the question of whether the US provides an adequate level of protection, the CJEU found that since Section 702 of the US Foreign Intelligence Surveillance Act (FISA) does not limit the power of surveillance programmes to target persons outside the US, The US does not guarantee a level of privacy protection.
  1. The third reason is that EU citizens cannot file a request for prosecution if US authorities are found to be involved in the misuse of data.

Results of the suspension of the EU-US Privacy Shield:

Such restrictions would reduce digital trade and have negative economic repercussions for businesses on both sides of the Atlantic. The deactivation of the Privacy Shield program makes companies and organisations work with Standard Contractual Clauses (SCC), also called Model Contractual Clauses (MCC), a law used to transfer data between EU and non-EU countries, which also imposes strict restrictions on its use. The problem with SCCs is that we are talking about a contractual obligation that does not bind other governments. Therefore, if national security agencies’ practices for accessing personal data are incompatible with the GDPR, SCCs clearly do not remedy this problem. Also, the use of standard contractual clauses does not make an international data transfer automatically GDPR compliant. The company must assess the laws of the country to which it intends to transfer the data. To use SCCs, you need to document the risks involved in dealing with data recipients outside the European Union and assess whether there are any loopholes or exceptions in the laws of the country to which the data will be transferred. The full integrity of the infrastructure for examining and storing citizens’ data as well as updates from EU authorities on KYC must be ensured.

What happens after the suspension of the Privacy Shield?

Participating companies need to reconsider the terms under which they contract with third party companies for the use of data. Companies that have experienced the problems and challenges facing the EU-US Privacy Shield and have adapted to the CCS are less affected by this suspension. The suspension could cause states to think again about whether to reshape their national privacy laws in line with GDPR legislation.

Here are the recommendations of the European Data Protection Board (EDPB) when using SCC:

  • Know your transfers: identify the transfer tools you rely on.
  • Adequacy decisions.
  • Evaluate transfer factors.
  • Evaluate the laws.
  • Take further action.
  • Take procedural steps if you have identified additional effective measures.
  • Reassess at appropriate intervals.

Privacy Shield 2.0

If we look at the number of attempts made to compensate for the absence or cancellation of the EU-US Privacy Shield, we can know the importance and existence of such an agreement, because once this programme is cancelled, we immediately find another attempt to compensate for this cancellation. This allows us to see the scale of the investment between the United States and the European Union, which urgently needs an agreement to bridge the gap between the data privacy laws of the two countries.

Because of the necessity and importance of continuing these investments between the two countries, the two sides have sought a new agreement known as Privacy Shield 2.0. These continuing attempts to reach an agreement that satisfies all parties show the importance of trade between the two countries.

The European Union and the United States have reached an agreement on a new alternative to the Privacy Shield due to a suspension in the Schrems II decision in July 2020, originally known as Privacy Shield 2.0. In fact, the aim of creating such an agreement is not very different from the EU-US Privacy Shield, which has been abolished, as the aim of both parties is to try to exchange data in a way that complies with the GDPR.

On 25 March 2022, the White House announced some initial principles for a new agreement with the European Union to share some citizens’ data.

What changes could be made to the Privacy Shield 2.0 to avoid another denunciation of the agreement by the Court of Justice (CJEU)?

First, let’s agree that the EU-US Privacy Shield 2.0 is only an announcement so far and not an explicit text that can be discussed or considered. There are indications that the United States does not intend to change its surveillance laws, which was a major reason for the cancellation of the old program, and this casts great doubt on whether the CJEU will allow this. So far, there seems to have been no change in the laws governing the use of data in a commercial context. Stricter obligations will apply to participating companies, and this will include the requirement to self-certify their membership to the US Department of Commerce.

Steps to expect for the implementation of the EU-US Privacy Shield 2.0

First, the United States needs to convert the statement it spoke of into an official written text that can be discussed and viewed.

Secondly, it is up to the European Union to issue a written proposal for an adequacy decision. The European Data Protection Board (EDPB) will then review the proposal to discover any problems with it.

Third, all countries representing the EU must agree to the new Privacy Shield 2.0.

Finally, the European Commission reviews the adequacy decision to ensure that it complies with the terms of the General Data Protection Regulation (GDPR).

All these steps will take time. For example, in 2016, just announcing the adequacy decision took about six months.

Will Privacy Shield 2.0 be broken again?

This question is the backbone of the whole issue, because if the international Safe Harbor privacy principles had not been discontinued in Schrems I in 2015 and the EU-US Privacy Shield 1.0 in Schrems II had not been discontinued in 2020, we would not be talking about the EU-US Privacy Shield 2.0 at all now. Because this program is initially an attempt to replace the EU-US Privacy Shield 1.0, as mentioned above.

Looking at the original details of the programme, we cannot find a real and fundamental change that would cause the European Court of Justice (ECJ) not to stop the EU-US Privacy Shield 2.0. This is because we find no change in the main reasons that led to the cancellation of the old programmes, and here I refer specifically to U.S. intelligence agencies, which, as explained above, allow the U.S. to monitor intelligence and data to determine any threat to U.S. armed forces, monitor terrorism and any riots that might occur in the country, according to the U.S. indictment.

Requirements and recommendations that are necessary to avoid suspension again

In drafting the text of the EU-US Privacy Shield 2.0 program, which will be submitted to the European Union for approval, the United States must keep in mind several important and basic points that could lead the CJEU to overturn the agreement again, and the most important of these points are the following:

  • The United States should commit in writing that European citizens’ data will not be used by US intelligence agencies.
  • The United States must comply with the adequacy decision.

Without compliance with these points, the new programme is likely to be suspended again.

conclusions

In the United States, data sharing laws and regulations to protect data privacy are not as stringent as those in the European Union. However, given the importance of existing trade between the two countries and the negative economic repercussions that would result from halting trade between the EU and the US, numerous attempts to reach an agreement on the protection of EU citizens’ personal data in relations with the US, which were eventually suspended.

The Privacy Shield is the program whose purpose is precisely to try to bridge the gap that exists between data privacy laws between the European Union and the United States. But we still have to wait for the new agreement, EU-US Privacy Shield 2.0. will be validated by the Court of Justice given that at this point the new agreement was only announced on 25 March 2022 by the White House, with no official text yet. We note, however, the fight the European Union is waging to protect the personal data of its citizens.

If you have questions about cross-border data exchanges, whether with the United States or any other country, and need assistance with implementing the GDPR standard in the company or institution you represent, contact us at contact@gdprcomplet.ro.