The EU-U.S. Privacy Shield

'The EU-U.S. Privacy Shield is a tremendous victory for privacy, individuals, and businesses on both sides of the Atlantic.'- U.S. Secretary of Commerce Penny Pritzker.

What do you need to do and why?

European businesses are prohibited from transferring data if certain data protection requirements are not being met. An American business which seeks to maintain its transatlantic transactions, thus, has a genuine interest in complying with such requirements. The Privacy Shield program is administered by the International Trade Administration (ITA) within the U.S. Department of Commerce. It enables U.S.-based organizations to join the Privacy Shield Framework in order to benefit from the adequacy determination. To join the Privacy Shield Framework, a U.S.-based organization will be required to self-certify to the Department of Commerce (via this website) and publicly commit to complying with the Framework's requirements. While joining the Privacy Shield Framework is voluntary, once an eligible organization makes the public commitment to comply with the Framework's requirements, the commitment will become enforceable under U.S. law. All organizations interested in joining the Privacy Shield Framework should review its requirements in their entirety.

The Background

It is all about receiving data from EU countries and data protection which must happen in a certain way to avoid severe monetary fines. In order to maintain transatlantic business, the previous 'Safe Habour' framework was aiming to provide such data protection. However, the European Court of Justice held this framework invalid on October 6, 2015 for being insufficient. The EU-U.S. Privacy Shield is its successor.

The Issue

Many transatlantic transactions require the transfer of personal data, especially in today's digital economy. Such data often contains names, phone number, birth date, home and email address, credit card number, national insurance or employee number, login name, gender and marital status, or other information that makes it possible to identify you. For instance, your data may be collected in the EU by a branch or a business partner of an American company, which receives the data and then uses it in the U.S. This is the case, for instance, when goods or services are bought online, when using social media or cloud storage services, or if you are an employee of an EU-based company that uses a company in the U.S. (e.g. the parent company) to deal with personnel data.

The new EU-U.S. Privacy Shield

EU law requires that when your personal data are transferred to the U.S they continue to benefit from a high level of protection. This is where the EU-U.S. Privacy Shield comes in. The Privacy Shield allows your personal data to be transferred from the EU to a company in the United States, provided that the U.S. - company processes (e.g. uses, stores and further transfers) your personal data according to a strong set of data protection rules and safeguards. The protection given to the data applies regardless of whether the person is an EU citizen or not. A PDF-guide with further information can be found here.