On July 16, 2020, the Court of Justice of the European Union (CJEU) issued a judgment declaring as "invalid" the European Commission's Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-U.S. Privacy Shield. As a result of that decision, the EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union (EU) to the United States (U.S.).
On September 8, 2020 the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland issued an opinion concluding that the Swiss-U.S. Privacy Shield Framework does not provide an adequate level of protection for data transfers from Switzerland to the United States pursuant to Switzerland's Federal Act on Data Protection (FADP).
The CJEU found that Privacy Shield failed to meet EU data protection standards given the breadth of U.S. data collection powers authorized in U.S. electronic surveillance laws and the lack of redress options for EU citizens. The CJEU ruling also increased due diligence requirements for data exporters using another EU mechanism—standard contractual clauses (SCCs)—to transfer personal data to the United States.
On March 25, 2022, the U.S. and the EU announced a political agreement on a new Trans-Atlantic Data Privacy (TADP) Framework to safeguard commercial cross-border data flows.
Acronyms, Abbreviations, and Initialisms
|Short Form||Full Form|
|CJEU||Court of Justice of the European Union|
|DOC||Department of Commerce|
|FADP||Federal Act on Data Protection|
|FDPIC||Federal Data Protection and Information Commissioner|
|ITA||International Trade Administration|
|SCC||Standard Contractual Clause|
|TADP||Trans-Atlantic Data Privacy|
The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce (DOC), and the European Commission and Swiss Administration, respectively, to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the EU and Switzerland to the United States in support of transatlantic commerce.
The Privacy Shield program, which is administered by the International Trade Administration (ITA) within the U.S. DOC, enables U.S.-based organizations to join one or both of the Privacy Shield Frameworks. To join either Privacy Shield Framework, a U.S.-based organization will be required to self-certify to the Department and publicly commit to comply with the Framework requirements. While joining the Privacy Shield is voluntary, once an eligible organization makes the public commitment to comply with the Framework requirements, the commitment will become enforceable under U.S. law.
The Privacy Shield Principles comprise a set of seven commonly recognized privacy principles combined with 16 equally binding supplemental principles, which explain and augment the first seven. Collectively, the 23 Privacy Shield Principles lay out a set of requirements governing participating organizations' use and treatment of personal data received from the EU under the Framework as well as the access and recourse mechanisms that participants must provide to individuals in the EU.
- Accountability for Onward Transfer
- Data Integrity and Purpose Limitation
- Recourse, Enforcement and Liability
- The Privacy Shield is superseded by the TADP Framework.
- The Privacy Shield replaced the Safe Harbor program.
- The Privacy Shield Principles comprise a set of seven commonly recognized privacy principles.
- Participation in the Privacy Shield is voluntary.
- Once an eligible organization makes the public commitment to comply with the Framework requirements, the commitment will become enforceable under U.S. law.