The E.U. – U.S. Privacy Shield

Corina McIntyre, Vol. 37 Associate Editor

In October 2015, the European Court of Justice (“ECJ”) struck down the U.S.-E.U. transatlantic “Safe Harbor” pact used by thousands of companies to transfer European citizens’ data to the U.S. For 15 years the Safe Harbor pact had “allowed more than 4,000 companies to avoid cumbersome E.U. data transfer rules by stating that they complied with E.U. data protection law.”[1] The E.U. argued that the pact “exposed Europeans to mass surveillance by the U.S. government” and failed to provide necessary privacy guarantees.[2] The ECJ held that the pact violated Europeans’ privacy rights and that E.U. member states can consequently override the pact. The decision affected an estimated 4,500 companies that store customers’ personal data. The practical consequences of the ruling were predicted to initiate a costly effort by companies to preserve their ability to “transfer Europeans’ personal data to the U.S. before regulators move[d] in with fines or orders to suspend data flows.”[3] And the economic ramifications are hardly insignificant. In addition to storing human resource type documents, the data was used in the online advertising business to the tune of billions of dollars in trade.[4] Since the decision, E.U. and U.S. regulators have been in negotiations to establish a new and improved data-transfer framework to replace the Safe Harbor pact. In February 2016, they unveiled what is referred to as Privacy Shield. Privacy Shield is the new proposed framework that places “stronger obligations on U.S. companies to protect Europeans’ personal data and ensure stronger monitoring and enforcement by U.S. agencies.”[5] In particular, the new pact is characterized by three primary objectives: strong obligations on companies handling Europeans’ personal data; robust enforcement, clear safeguards and transparency obligations on U.S. government access; and effective protection of E.U. citizens’ rights with several redress possibilities.[6] Given the encouraging progress of these negotiations, in February 2016, E.U. privacy regulators announced that they would postpone enforcement actions for trans-Atlantic transfers of Europeans’ personal data until March or April 2016.[7] Since October 2015, companies can clearly no longer rely on the invalidated Safe Harbor pact. However, the current legal climate surrounding E.U.-U.S. data transfer is anything but clear for the thousands of affected companies. European data protection authority representatives have stated that they will handle such cases and complaints on a case-by-case basis, suggesting that they are not proactively investigating and prosecuting these companies for the time being.[8] In the coming weeks, E.U. regulators will draft an adequacy decision analyzing the new Privacy Shield framework. On the U.S. side, government officials will ensure that the new framework is in place, including the Ombudsman and other necessary monitoring mechanisms.[9]

[1] Julia Fioretti and Foo Yun Chee, New European, U.S. Data Transfer Pact Agreed, Reuters (Feb. 2, 2016, 1:15 PM), [2] Sam Schechner and Natalia Drozdiak, EU Privacy Regulators Delay Possible Crackdown on Data, Wall St. J. (Oct. 6, 2015, 1:14 PM) [3] Id. [4] Id. [5] Fioretti and Chee, supra note 1. [6] European Commission Press Release IP/16/216, EU Commission and United States agree on new framework for transatlantic data flows: EU-US Privacy Shield (Feb. 2, 2016), available at [7] Sam Schechner and Natalia Drozdiak, EU Privacy Regulators Delay Possible Crackdown on data transfers to U.S., Wall St. J. (Feb. 3, 2016, 9:33 PM), [8] Nancy Scola, Privacy Shield’s future: five things to know, Politico (Feb. 13, 2016, 1:42 PM), [9] Supra note 6.