What is the EU – US Privacy Shield Framework?
ON THIS PAGE
US companies, having business in the European Union countries, must comply with Europe's personal data privacy laws. When US companies collect Europeans' personal data and transfer the data to the US, the data could be managed according to US privacy laws. The EU – US Privacy Shield Framework was created to enable US companies to receive personal data from EU entities without violating EU privacy laws and protecting European Union citizens.
What is the EU–US Privacy Shield Framework?
The EU – US Privacy Shield was a legal framework for regulating transatlantic exchanges of personal data to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements. Its main purpose was to enable US companies to receive personal data from EU entities without violating EU privacy laws and protecting European Union citizens. The EU–US Privacy Shield went into effect on 12 July 2016 after it was approved by the European Commission. It replaced the International Safe Harbor Privacy Principles, which were declared invalid by the European Court of Justice in October 2015.
There are seven major principles under the EU – US Privacy Shield Framework:
- Notice. Individuals must be informed that their data is being collected, how it will be used and for what purposes. The organization must provide information about how individuals can contact the organization regarding their private data.
- Choice. Individuals must have the option to opt out of the collection and management of their personal data.
- Accountability for onward transfer. The transfers of personal data to third parties may only occur to the organizations that comply with the data privacy laws.
- Security. Organizations must take reasonable efforts to prevent the loss of collected information.
- Data integrity and purpose limitation. The personal data must be used just for the purpose it was collected.
- Access. Individuals must be able to access, correct, or delete their personal data.
- Enforcement and liability. The rules must be enforced effectively.
Is the EU–US Privacy Shield Framework still valid?
The European Court of Justice announced that the EU – US Privacy Shield became invalid on 16 July 2020. As a result of that decision, the EU – US Privacy Shield framework is no longer valid to comply with EU data protection requirements when transferring personal data from the EU to the United States.
The Swiss-US Privacy Shield Framework
Similar to the EU–US Privacy Shield Framework, the Swiss Government approved the Swiss-US Privacy Shield Framework to comply with Swiss requirements when transferring personal data from Switzerland to the United States to comply with data protection requirements. The Swiss-US Privacy Shield Framework became a valid legal mechanism on January 12, 2017.
On September 8, 2020, the Federal Data Protection and Information Commissioner of Switzerland issued an opinion, stating that the Swiss-US Privacy Shield Framework does not provide an adequate level of protection when transferring personal data and the framework is no longer valid. However, the opinion does not relieve participants in the Swiss-US Privacy Shield of their obligations under the Swiss-US Privacy Shield Framework.
Future of the data transfer between the EU and the US
On 25 March 2022, the leaders of the US and EU announced a new data transfer framework called the Trans-Atlantic Data Privacy Framework (TADPF). The new framework would allow EU citizens to pursue data privacy violations through a new Data Protection Review Court. A final version of the TADPF is expected to be available by the end of 2022.
The key principles of the new agreement are the following:
- Personal data could flow freely and safely between the EU and the US companies.
- New rules to limit access to data by the US intelligence authorities to what is necessary and proportionate to protect national security. The US intelligence authorities will adopt procedures to comply with the new standards.
- A new redress mechanism with independent authority to investigate and resolve complaints of Europeans on the access of data by the US.
- Strong obligations for the US companies processing data transferred from the EU,
- Monitoring and review mechanisms.
The Trans-Atlantic Data Privacy Framework will provide adequate protection for Europeans’ data transferred to the US and create a durable and reliable legal basis for personal data transfer and management.
CookieScript Consent Management Platform is easy to use and complies with the EU and the US privacy regulations.
Frequently Asked Questions
What is the EU – US Privacy Shield Framework?
The EU – US Privacy Shield was a legal framework for regulating personal data transfer between the EU and the US to comply with data protection requirements. Its main purpose was to enable US companies to receive personal data from EU entities without violating EU privacy laws and protecting European Union citizens. The EU–US Privacy Shield went into effect on 12 July 2016 after it was approved by the European Commission. However, the European Court of Justice announced that the EU – US Privacy Shield became invalid on 16 July 2020. As a result of that decision, the EU – US Privacy Shield framework is no longer valid. Follow up CookieScript privacy laws to be informed of the latest privacy regulations and to know when the TADPF will take effect.
Why was the EU – US Privacy Shield invalidated?
The European Court of Justice announced that the invalidation of Privacy Shield was twofold: US law gives US authorities the right to collect Europeans' personal data without adequate safeguards and EU data subjects lack effective means to seek redress against the US government. Read CookieScript privacy laws to follow up with the latest privacy regulations regarding the data transfer between the EU and the US.
What will replace the EU – US Privacy Shield Framework?
It was proposed a new data transfer framework between the EU and the US called the Trans-Atlantic Data Privacy Framework (TADPF). The new Trans-Atlantic Data Privacy Framework will provide adequate protection for Europeans’ data transferred to the US and create a durable and reliable legal basis for personal data transfer and management. A final version of the TADPF is expected to be available by the end of 2022. Follow up CookieScript privacy laws to be informed of the latest privacy regulations and to know when the TADPF will take effect.