Data Protection Academy » Data Protection Wiki » EU-US Privacy Shield

EU-US Privacy Shield

The European Court of Justice (ECJ) declared the EU-US Privacy Shield invalid on 16.07.2020 (Case C-311/18).

The EU-US Privacy Shield

Background and development of the EU-US Privacy Shield

The EU-US Privacy Shield was an informal arrangement in the field of data protection law negotiated between the European Union and the United States of America from 2015 to 2016 and was valid until 2020. The European Union classifies the transfer personal data to the USA due to the USA PATRIOT ACTS and the resulting extensive access rights of the U.S. authorities to company data as critical.

In the past, the transfer of personal data was regulated by the so-called Safe Harbor Agreement between the EU and the USA in such a way that personal data could be transferred to the USA in accordance with the law. The Safe Harbor Agreement was declared invalid by the European Court of Justice in October 2015.

For this reason, a successor agreement was adopted, the EU-US Privacy Shield. The Privacy Shield was adopted by the European Commission in July 2016 and was declared invalid by the European Court of Justice on 16.07.2020. This means that, with immediate effect, it is no longer possible for US companies to process personal data of EU citizens on this basis.

Why was the EU-US Privacy Shield declared invalid?

It all started with Austrian Max Schrems' complaint to the Irish supervisory authority DPC. Schrems first complained about the processing of Facebook users' data, which did not take place at Facebook's European headquarters in Ireland, but on servers in the US. At the time, this case still referred to the Safe Harbour agreement. The European Court of Justice ruled in favour of Schrems in 2015 and declared the safe harbour agreement invalid.

Despite the ruling, Facebook continued to process data in the US, this time on the basis of the standard contractual clauses and the Privacy Shield. Max Schrems sued again against the action, whereupon the Privacy Shield "data protection shield" was also declared invalid.

The judges justified the ruling by stating that the transfer of data of European data subjects to a third country can only comply with the GDPR if an appropriate level of protection is guaranteed. However, since surveillance programmes in the USA are not restricted to a necessary extent and Europeans have no right to complain about this, an adequate level of protection cannot be assumed.

Aim and benefits of the EU-US Privacy Shield

On the official website of the Privacy Shield of the U.S. Government the aims and benefits of the privacy shield are described as follows:

"The EU-U.S. and Swiss-U.S. Privacy-Shield frameworks were developed by the U.S. Department of Commerce and the European Commission, as well as the Swiss government, to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic trade".

In general, the privacy shield applies to actions or practices of "persons, partnerships or companies". Custodian banks (banks, federal credit cooperatives and savings banks), telecommunications and interstate transport companies, labour associations, as well as non-profit organisations and most logistics companies are not covered.

Whitepaper Data protection at company sites and persons in the data protection organisation

Whitepaper: Data protection at company sites and persons in the data protection organisation

In the whitepaper on data protection at company sites & persons in the data protection organisation you will find:

  • Get information on Legally permissible data transfers
  • Learn more about the Data protection relevant consideration of different company locations
  • Learn DSGVO-compliant Possibilities of Data transfer to third countries Know
  • Get background information on the Market place principle, third country and group privilege
  • Learn which people Members of the data protection organisation are

Unfortunately this content is currently only available in German. Please feel free to contact us for more information.

External Data Protection Officer

You are welcome to contact us as external data protection officer (DPO) order. We also offer individual consulting services as well as audits and will be happy to provide you with a non-binding offer. You can find more information about our external data protection officers on our website.

Regulating data transmission to the USA in accordance with data protection laws

Companies or organisations within the EU have to consider three issues:

  1. Is personal data transferred to business partners in the USA as part of a business process? This can be, for example, the transfer of employee data as part of order processing or the use of software services in the USA as part of order processing.
  2. Is personal data transferred to subsidiaries in the USA within a group or corporate group?
  3. Is personal data transferred within a company located in the USA?

For 1, 2 and the following activities must be performed.

1. Business partner must be registered in the Privacy-Shield

In the case of a transfer of personal data to business partners within the USA, this business partner must have joined the Privacy Shield Framework. This can be found on the website of the Privacy-Shield be checked.

The business partner can be easily identified on the official website join the Privacy Shield framework through a self-certification procedure.

2. US subsidiaries of European companies must act

European companies with subsidiaries in the USA should certify these subsidiaries for the privacy shield. The Privacy-Shield Framework offers the possibility to use its Official website of the Privacy Shield to certify themselves.

3. Solve transfer within a company by means of binding corporate rules (BCR) or EU standard contract

If personal data is transferred to the USA within a company, for example within a stock corporation, this company must secure the transfer of personal data in accordance with data protection laws.

This can be achieved by the company implementing internal guidelines within the group of companies, so-called Binding Corporate Rules (BCR). Furthermore it has the possibility to use EU standard contractual clause in order to set up the transmission in accordance with data protection laws.

Prof. Dr. Andre Döring

This might interest you too:

The Supply Chain Act (LkSG)

The Supply Chain Act (LkSG) came into force on 01.01.2023. Learn about the current regulations and obligations for companies in the article.
IT security incident

What to do in the event of an IT security incident?

The most important facts about IT security incidents. Learn practical tips on recognising and dealing with IT emergencies in the article.

What is the TTDSG or TDDDG?

The TTDSG became the Telecommunications Digital Services Data Protection Act (TDDDG) on 13 May 2024 as a result of the harmonisation with the EU Directive.