What is EU-US Privacy Shield?

Privacy Shield security concept

Privacy Shield was a regulatory framework that governed the transfer of data between the European Union and the United States. Its principal purpose was to act as a mechanism for US companies to receive data from the EU, thereby ensuring smooth data transfers despite the fact that the two countries operated in separate data protection jurisdictions.

In effect, Privacy Shield fulfiled the same purpose as an adequacy agreement, required by any third status country that is outside of the regulatory reach of the EU's General Data Protection Regulation (GDPR). Such an agreement signals that the EU recognises the data protection laws of the third country as being robust enough to protect the data of EU citizens, and therefore eligible to receive EU data.

​Privacy Shield was ruled invalid by the European Court of Justice on 16 July 2020 as part of the Facebook Ireland vs Max Schrems case. The ECJ argued that the creation of Privacy Shield gave primacy to US surveillance laws, with its current form being unable to provide adequate protections for EU resident data. It was also ruled that the mechanism did not provide data subjects with an adequate point of redress or cause of action when issuing complaints.

Where did Privacy Shield come from?

The ‘International Safe Harbour Privacy Principles’, referred to commonly as Safe Harbour, were in force between 2000 and 2015, eventually being deemed insufficient following a challenge by Max Schrems. Privacy Shield, which suffered the same fate, replaced Safe Harbour, and once again tried to ease data flows between the US and the EU.

The history of both frameworks actually stretches back to the 1980s when the EU started to pursue policies to raise the level of data protection offered to citizens throughout its member states. To guarantee these protections were universal, the EU needed to ensure that citizens were safeguarded by the same protections not only in the EU but when their data was sent to other countries, such as the US.

The EU eventually signed the Data Protection Directive in 1995, which was the first set of meaningful data protection regulations, and the legislation that would eventually evolve into what we know as GDPR today. Although it covered a variety of issues, one of its main functions was to ensure companies sending data belonging to EU data subjects to non-EEA countries couldn’t process the data by weaker standards.

The EU’s appetite for raising the level of data protection for its citizens wasn’t matched by legislators in the US, especially considering how security agencies such as the NSA were known to operate. However, because it was vital to ensure that data continued to flow undisrupted between EU territories and the US, the two entities came together to build a specific architecture to ensure that businesses could seamlessly move data while data subjects would rest easy knowing their rights would continue to apply. This would replace the need for any mechanisms such as formal adequacy agreements, standard contractual clauses (SCCs) or binding corporate rules.

Developed between 1998 and 2000, the Safe Harbour Privacy Principles were initially designed to prevent organisations in the US and the EU from accidentally disclosing personal information by providing clear guidelines on how to collect and manage data. These principles incorporated some of the requirements set out by the Data Protection Directive, including the need for better security, relevant data collection, and the restrictions on third-country transfers, only these were voluntary for US companies. However, by July 2000, it was decided that any US company that was able to demonstrate its commitment to these Safe Harbor Principles would be permitted to send and receive data from the EU – known as the "Safe Harbor Decision".

US companies operated under the provisions of the Safe Harbor Decision for over 15 years but in October 2015, the European Court of Justice ruled that the process of the Safe Harbour Decision was invalid. The reason for this ruling was mainly because the act of giving public authorities access to EU individuals' data through the adherence of general principles was in direct conflict with the right to privacy as enshrined in Article 8 of the European Convention on Human Rights (ECHR). In essence, the ECJ found that the Safe Harbour Principles were incompatible with EU data laws given that the framework lacked any operational oversight from US or EU agencies.

Enter Privacy Shield

Privacy Shield, introduced in early 2016, was an attempt to rectify these issues, promising to enforce tougher obligations on US companies – namely the requirement to monitor and enforce data protections more robustly, and cooperate with European data protection authorities.

As with Safe Harbor, it was a voluntary mechanism that US companies could use to legally send and receive data from the EU. Those that agreed to process data under Privacy Shield were required to publicly advertise their compliance – a notice that said they were committed to providing higher standards of data protection and that they were liable to strict fines if found to be in breach of them.

As part of this compliance, organisations were required to give European users a means to opt out of having their data sold to third parties, as well as rigorously protect any data they do collect. EU data subjects were also protected from any misuse of data beyond its originally advertised processing purpose and had the right to access, correct, amend or delete any data that an organisation held on them, provided it was inaccurate or had been used in a way that breached Privacy Shield principles.

These protections only existed for EU citizens – US citizens were only protected by federal or state US laws.

Privacy Shield fines & sanctions

The US Federal Trade Commission, the agency overseeing Privacy Shield enforcement, had the power to bring fines against any company found to be in breach of Privacy Shield standards.

Any US organisation that failed to abide by their commitments to upholding Privacy Shield principles could face a number of different penalties. Firstly, the FTC could issue administrative or court orders to compel an organisation to fix any violations. Failure to abide by these orders could result in civil penalties of up to $40,000 for each violation, or $40,000 per day for ongoing violations.

Any organisation found to be in persistent violation of Privacy Shield standards would have its eligibility revoked, which prevented it from using the mechanism for data transfers. This includes any company that had been found to be in regular breach of the standards even if those breaches were unrelated. The Department of Commerce would then remove the company's name from the Privacy Shield List.

What did Privacy Shield require of US businesses?

Privacy Shield was voluntary for US businesses, however, it was strongly advised that organisations sign up to the laws, particularly if they planned to expand into Europe in the future.

Those that sign up were required to do the following:

  • Present a detailed public facing statement showing its commitment to the Privacy Shield Principles and how it is ensuring its processes are compliant.
  • Ensure that mechanisms are in place to restrict data sharing with third parties where a user has opted-out. All third parties that receive such data must also publicly display their commitment to Privacy Shield.
  • Respond to all access and deletion requests from users, and provide a means for users to change their data, provided the request is feasible.
  • Ensure that all systems are maintained and are protected from unauthorised access.

Criticisms of Privacy Shield

Both Safe Harbour and Privacy Shield highlighted an ongoing clash between the US and the EU over data protection rights.

The European Union has worked to increase protections, and now operates one of the world's most robust data laws in the world. Data processing is heavily scrutinised under GDPR, with companies facing the prospect of crippling fines for any loss of data.

The US, meanwhile, has increased the surveillance powers of its intelligence agencies over the years, particularly following the introduction of the US Patriot Act in 2001. Intelligence agencies are able to use programmes such as PRISM to collect data from US internet companies, as well as the Foreign Intelligence Surveillance Act (FISA) to gather data on US citizens. Perhaps most importantly for EU authorities, the US has yet to work towards a centralised federal data protection regime, let alone one that begins to mirror GDPR. Aside from states such as California, there have been few attempts to expand data protection rights.

Privacy Shield was, therefore, an attempt at a compromise on the part of the EU to overcome this ongoing contradiction – a mechanism that allows US companies to prove they can operate under GDPR-like controls.

Not everyone agreed that the EU's good faith is reciprocated, however. Most notably, as part of the relationship, the US had the duty of appointing an ombudsperson to act as an additional point of redress for any EU citizens raising complaints against a company. This position sat vacant until June 2019, when Keith Krach was confirmed as the US' first permanent Privacy Shield Ombudsperson, leaving many to question whether the country was taking its role seriously enough.

Concerns had also been raised over the years about the framework's ability to protect EU data. In 2016, European data protection supervisor, Giovanni Buttarelli, argued that "significant improvements" were needed and that, as it stood, Privacy Shield was simply "not robust enough to withstand future legal scrutiny before the court". He also added that it was "time to develop a longer-term solution in the transatlantic dialogue".

Max Schrems, the Austrian legal activist that brought the case to the ECJ that would ultimately lead to Privacy Shield’s downfall, argued that Privacy Shield was hastily put together in order to fill the gap left by the previous framework and that those behind it.

"Sometimes I call it Safe Harbour 1.0.1 because basically most of the text is exactly the same, most of the structure is exactly the same," said Schrems, speaking at a data protection summit in London in June 2019, adding that he often referred to it instead as "lipstick on a pig".

Speaking on the speed at which it was negotiated, he said: "There was a deadline on January 31. What happened was that they failed to come to any kind of agreement. I was asking later and apparently, the Europeans stood off the table and said there was no way we're ever going to get it. 48 hours later and there was [suddenly] a deal. Another 24 hours later and we got this logo."

What will replace Privacy Shield?

Now that Privacy Shield has been invalidated, businesses are, technically, no longer allowed to transfer data using the mechanism. Despite the disruption the judgement caused, there was no grace period announced that would allow businesses to continue using the mechanism until a replacement is devised. In the case of the invalidation of Safe Harbour, businesses were initially given a grace period of three months, although it would take six months before Privacy Shield was introduced.

Although Privacy Shield was struck down last year, a replacement still hasn't been established, and it's not clear how long a replacement to Privacy Shield might take. Given that Privacy Shield and Safe Harbour were invalidated for very similar reasons, however, it’s likely a more robust system will be demanded by advocates in the EU Commission. The European Data Protection Supervisor indicated in December 2020 that a replacement would be unlikely 'for a while'. To facilitate a new arrangement, the EU could ask the US to commit to far greater protections for EU resident data, or move towards greater regulatory alignment. Whatever the detail of the agreement, any friction between the two sides will almost certainly cause delay.

Dale Walker

Dale Walker is the Managing Editor of ITPro, and its sibling sites CloudPro and ChannelPro. Dale has a keen interest in IT regulations, data protection, and cyber security. He spent a number of years reporting for ITPro from numerous domestic and international events, including IBM, Red Hat, Google, and has been a regular reporter for Microsoft's various yearly showcases, including Ignite.