Privacy Shield EU-U.S. Data Transfer Arrangement
On February 29, 2016, the European Commission and the Obama Administration released the proposed EU-U.S. Privacy Shield. The Privacy Shield aims to replace the Safe Harbor framework for commercial data flows between the EU and the U.S., which was struck down by the Court of Justice of the European Union in October 2015. The Privacy Shield agreement is to serve as the basis for an “adequacy” decision by the European Commission that the U.S. has a satisfactory system regarding data protection, including addressing issues related to government surveillance and consumer privacy.
- EU Advocate General Backs Data Transfers, Criticizes Privacy Shield: Today the EU Advocate General issued an advisory opinion in "Schrems 2.0," a case about Facebook’s transfer of personal data to the United States. The Advocate General backed data transfers generally but sharply criticized the EU-US Privacy Shield agreement. The Advocate also said that data protection authorities must enforce privacy obligations. The Advocate General cited EPIC's expert submissions in the case concerning the adequacy of US privacy law. The case follows the European Court's landmark decision in Schrems v. DPC striking down the "Safe Harbor" arrangement. The European Court of Justice is expected to issue a binding opinion in the next few months. After the original Schrems opinion, EPIC testified in Congress. EPIC's Marc Rotenberg urged Congress to "modernize" US privacy law and also establish an independent privacy agency. (Dec. 19, 2019)
- FTC Announces Privacy Shield No Penalty Enforcement Action: The FTC entered into settlements with four companies that misrepresented their participation in the EU-U.S. Privacy Shield framework and the Swiss-U.S. Privacy Shield framework. These frameworks permit the transfer of Europeans' personal data to the U.S. with an assurance of privacy protection. The settlements require the companies to halt misrepresentations about compliance, but provides no remedy to those EU citizens whose personal data was collected. EPIC has repeatedly told Congress that that the FTC lacks effective enforcement authority. In recent comments on the Privacy Shield, EPIC also noted the absence of a comprehensive U.S. federal privacy law and a data protection authority with the authority to enforce privacy rights. Under the Schrems decision, which provided the basis for the Privacy Shield, the Court of Justice explained that "everyone whose rights and freedoms are violated" have "the right to an effective remedy." (Dec. 3, 2019)
- European Privacy Board Cites Concerns about EU-U.S. Privacy Shield (Nov. 14, 2019) +
- EU-U.S. Privacy Shield Renewed, Still in Dispute in Court (Oct. 23, 2019) +
- Access Now Calls for Privacy Shield to be Struck Down (Sep. 18, 2019) +
- Company Violates Privacy Shield, FTC Imposes No Penalty (Aug. 22, 2019) +
- EPIC Comments on Canada Transborder Data Flow Policy (Aug. 6, 2019) +
- EPIC Comments on Third Annual Privacy Shield Review (Jul. 15, 2019) +
- EPIC to Discuss US Surveillance before Top European Court (Jul. 8, 2019) +
- EPIC Urges Senate to Strengthen US Privacy Laws for Cross Border Data Flows (Mar. 26, 2019) +
- European Privacy Board Report Criticizes Privacy Shield Compliance (Jan. 25, 2019) +
- EU-U.S. Privacy Shield Renewed, Privacy Commitments Ignored (Dec. 19, 2018) +
- U.S. Defends Privacy Shield, But Fails to Comply with Privacy Commitments (Sep. 5, 2018) +
- EPIC Comments on Second Annual Privacy Shield Review (Aug. 14, 2018) +
- For Internet Policy, EPIC Urges Congress to Update U.S. Privacy Laws (Jul. 30, 2018) +
- European Parliament: 'Privacy Shield' Does Not Protect Privacy, Calls for Suspension (Jul. 5, 2018) +
- FTC Announces Another Privacy Settlement, But Again Imposes No Penalties (Jul. 2, 2018) +
- European Civil Liberties Committee: 'Privacy Shield' Should Be Suspended (Jun. 12, 2018) +
- European Court of Justice Receives Key Questions on Future of EU-US Personal Data Transfers (Apr. 12, 2018) +
- EPIC Tells House to Probe Commerce Secretary on Data Protection, Privacy Shield (Mar. 20, 2018) +
- Congress Renews Controversial Surveillance Measure, EU Impacted (Jan. 18, 2018) +
- EU Approves Data Transfer Arrangement, But Seeks Stronger U.S. Privacy Protections (Oct. 18, 2017) +
- EPIC Urges House to Strengthen US Privacy Laws for Cross Border Data Flows (Oct. 12, 2017) +
- FTC Announces Privacy Shield Settlement but Imposes No Penalties (Sep. 8, 2017) +
- European Privacy Officials Push for Answers on Status of U.S. Privacy (Jun. 13, 2017) +
- EPIC, Privacy Coalition Meet with EU Data Protection Supervisor (Apr. 21, 2017) +
- European Parliament Expresses Alarm Over Rollback of US Privacy Safeguards (Apr. 6, 2017) +
- NGOs Continue Campaign Against Privacy Shield (Mar. 2, 2017) +
- White House Publishes Privacy Report, Data Breaches Continue to Rise, as Obama Leaves Office (Jan. 19, 2017) +
- EPIC Tells Senate to Probe Commerce Nominee on Data Protection, Privacy Shield (Jan. 18, 2017) +
- Second Legal Challenge Launched Against "Privacy Shield" (Nov. 3, 2016) +
- Privacy Shield Sign-ons Begin (Aug. 2, 2016) +
- European Commission Signs Off on Flawed "Privacy Shield" (Jul. 12, 2016) +
- Privacy Shield Revisions Fail to Satisfy Legal Requirements (Jun. 29, 2016) +
- EPIC's Rotenberg Outlines Need for International Privacy Framework (Jun. 17, 2016) +
- Top European Privacy Official Rejects EU-US "Privacy Shield" (May. 31, 2016) +
- European Parliament Requires Changes to Privacy Shield (May. 26, 2016) +
- TACD Opposes "Privacy Shield," Urges Rejection by EU (Apr. 7, 2016) +
- EPIC's Rotenberg Urges European Parliament to Condition "Privacy Shield' on End of 702 Surveillance (Mar. 17, 2016) +
- NGOs - "Privacy Shield" is Failed Approach for EU-US Data Protection (Mar. 16, 2016) +
- "Privacy Shield" Released, New Questions Raised (Feb. 29, 2016) +
- Department of Commerce: Privacy Shield "does not exist" (Feb. 10, 2016) +
- Privacy Commissioners to Review "Privacy Shield" (Feb. 3, 2016) +
More top news
The Court of Justice of the European Union (CJEU) issued the final ruling in Schrems v. Data Protection Commissioner (Case C-362/14) on October 6, 2015. The Court’s decision invalidated the Safe Harbor EU-U.S. data transfer arrangement. The European Commission seeks to replace the Safe Harbor framework with the Privacy Shield proposal.
As a consequence of the Schrems decision the negotiations between the European Commission and the U.S. Department of Commerce continued on the revision of Safe Harbor. The goal has been to reach a solution for the continuation of data flows which provides legal certainties for individuals and businesses alike. The new framework must meet the legal criteria of EU law, including the Schrems judgment, and provide for adequate safeguards for the fundamental rights to privacy and data protection.
The Court interprets that ‘adequacy’ means that the third country must ensure, through its domestic legal order or international commitments, a level of protection which is essentially equivalent to that guaranteed within the EU.
The Article 29 Working Party, composed of privacy officials across Europe, set the end of January 2016 deadline for the European Commission and the U.S. to create an alternative to Safe Harbor before initiating coordinated enforcement actions.
On February 2, 2016, the EU Commission and the Department of Commerce announced that they reached a political agreement on the framework, the so-called Privacy Shield. Despite the announcement, they did not make the text of the agreement public until February 29, 2016.
According to privacy and consumer groups the framework in the published form fails to provide adequate protections against commercial misuse of personal information and bulk surveillance.
The Article 29 Working Party issued its opinion on the Privacy Shield draft adequacy decision on April 13, 2016. They announced that there must be changes in the proposal. The Article 29 Working Party in its opinion cited the complexity of the redress mechanism, the lack of independence of the ombudsman, as well as the broad uses of personal data that would be permitted under the arrangement. According to the privacy officials the US does "not exclude massive and indiscriminate collection of personal data”, the Ombudsperson “is not sufficiently independent” and “does not guarantee a satisfactory remedy”. The Working Party has also concluded that "onward transfers of EU personal data are insufficiently framed”.
EPIC supports the establishment of a comprehensive legal framework to enable transborder data flows. EPIC previously urged that the United States begin the process of ratification of Council of Europe Convention 108. EPIC has launched "Data Protection 2016" to support stronger privacy safeguards in the US.
In a letter to Commissioner Vera Jourova and Secretary Penny Pritzker, EPIC and more than 40 NGOs to urge the U.S. and the EU to protect the fundamental right to privacy. The groups warned that that without significant changes to "domestic law" and "international commitments," a new framework will almost certainly fail.
EPIC and a coalition of NGOs called on the European Union, and the Article 29 Working Party in particular, to oppose the Privacy Shield proposal because the political agreement fails to provide sufficient data protection and does not respect the decision of the European Court of Justice in the Schrems case.
EPIC’s President Marc Rotenberg in a testimony before the LIBE Committee of the European Parliament outlined several flaws in the proposed EU-US data transfer agreement, including a weak privacy framework, lack of enforcement, and a cumbersome redress mechanism. In the short term, Rotenberg recommended that the EU condition acceptance of the Privacy Shield on the end of the "702 program," which permits bulk surveillance on Europeans by the US. EPIC along with other NGOs has urged the European Commission to rewrite the Privacy Shield, saying it fails to safeguard human rights and does not reflect changes in US law as required by the Schrems decision.
EPIC filed a Freedom of Information request to obtain the text of the agreement when the negotiators failed to publish the Privacy Shield in February 2016.
- European Data Protection Supervisor, Opninion on the EU-U.S. Privacy Shield draft adequacy decision (May 30, 2016)
- Article 29 Working Party Press Release on Privacy Shield (April 13, 2016)
- Article 29 Working Party Opinion on Privacy Shield (April 13, 2016)
- Article 29 Working Party: Working document on the justification of interferences with the fundamental rights to privacy and data protection through surveillance measures when transferring data (European Essential Guarantees)
- Transatlantic Consumer Dialogue Resolution on Privacy Shield (April 7, 2016)
- NGO coalition letter to oppose Privacy Shield (March 16, 2016)
- BEUC, The Consumer Voice in Europe's Statement on the Privacy Shield Proposal (April 11, 2016)
- NGO letter to Commissioner Jourova and Secretary Pritzker to oppose a Safe Harbor 2.0 (November 13, 2015)
- EPIC's webpage on Safe Harbor and the Schrems Judgment
- EPIC's webpage on Article 29 Working Party
- EU Commission: Privacy Shield (2016)
- U.S. Department of Commerce: Privacy Shield (2016)
- Jennifer Baker, Don't hold your breath on Privacy Shield deal - it'll be last minute, insider says, arstechnica (June 9, 2016)
- Laurens Cerulus, Privacy shield dead on arrival, Politico (May 30, 2016)
- Carlo Piltz, German authorities slam draft Privacy Shield - Call for new legal remedies to challenge Commission decision, De Lege Data (Apr 21, 2016)
- Privacy Laws & Business, UK ICO urges U.S. to answer DPA's Privacy Shield questions (Apr 29. 2016), http://www.privacylaws.com/Int_enews_29_4_16
- Leo Kelion, EU watchdogs demand revisions to Safe Harbour replacement BBC (Apr 13, 2016)
- Mark Scott, Europe's Privacy Watchdogs Call for Changes to U.S. Data-transfer Deal, The New York Times (Apr 13, 2016)
- Samuel Gibbs, Data regulators reject EU-U.S. Privacy Shield safe harbour deal, The Guardian (Apr 14, 2016)
- Access Now, Privacy Shield fails to provide certainty for users, say EU Data Protection Authorities (Apr 13, 2016)
- Sam Schechner and Natalia Drozdiak, EU Regulators Call for Changes to EU-U.S. Privacy Accord, The Wall Street Journal (Apr 13, 2016)
- EU privacy watchdogs cast doubt on data sharing deal with U.S., Financial Times (Apr 13, 2016)
- Rachel Stern, EU privacy advocates complain data-sharing pact not good enough, The Christian Science Monitor (Apr 13, 2016)
- Glyn Moody, EU-US Privacy Shield may not pass muster, according to leaked extract, arstechnica (Apr 13, 2016)
Share this page:
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.