Privacy Shield is an EU/U.S./Swiss privacy framework designed by the U.S. Department of Commerce, European Commission and the Swiss Administration. It provided companies in both regions with a reasonably straightforward mechanism to move data between EU/U.S./Switzerland in support of transatlantic business.
What Rights Do EU Citizens Have Under The Privacy Shield?
The simple answer is, Privacy Shield is a framework that companies use(d) to comply with EU data privacy rights under the GDPR. There are 7 principles under the Privacy Shield that are very much like the 7 principles of the GDPR. The difference between Privacy Shield and GDPR is the Privacy Shield met the EU standard for adequacy while the GDPR is the actual EU privacy regulation and far more robust. Below is a very high-level description of the 7 principles of the Privacy Shield
- Notice – An individual must be told what type of data is collected about them and how it will be used. They also must be told how to contact an organization for inquiry or complaint.
- Choice – An individual must have the right to opt out of having their data shared, used for different reasons than originally collected and the technical means to exercise their choice. (e.g., opt out of having data shared or used)
- Accountability for onward transfer – Organizations are responsible for complying with the choices made by individuals about the use of their data (e.g., selling or sharing their data).
- Security – Organizations are required to take reasonable and appropriate measures to protect data from loss, misuse, unauthorized access, disclosure, alteration or destruction. This is with the risk of processing and the nature of the personal data in mind. In a nutshell, organizations are required to have security consistent with the risk posed were that data compromised (to individuals NOT the company)
- Data integrity and purpose limitation – Organizations must limit processing of data to what is needed and only use data for purposes compatible with the reasons for which it was collected.
- Access – Individuals must have access to the data organizations have about them and have the right to correct, amend or delete information when inaccurate. (with some exceptions)
- Recourse, enforcement and liability – In short, individuals must have access to independent recourse mechanisms to seek remedy should the principles above be violated.
Why Was Privacy Shield Invalidated?
Privacy Shield was the replacement to the Safe Harbor framework which was invalidated when Max Schrems brought legal action (Schrems I) in the wake of the Snowden revelations. Privacy Shield was later invalidated after the Data Protection Commission v. Facebook Ireland decision (Schrems II). There were a number of reasons for this framework being invalidated but chief among them was the European Commission’s view on the proportionality of U.S surveillance programs (FISA 702). With the GDPR’s stringent requirements around surveillance of its citizens, the Privacy Shield outcome was unsurprising.
When Was Privacy Shield Invalidated?
On July 12, 2016, the European Commission deemed Privacy Shield adequate for data transfers between the EU and the U.S. On July 16, 2020, Privacy Shield was invalidated resulting in governments from both sides of the Atlantic negotiating a new framework.
Privacy Shield was later invalidated after the Data Protection Commission v. Facebook Ireland decision (Schrems II).
What Is The Impact Of Privacy Shield Being Invalidated?
If you were impacted by the “Schrems II” decision, you’re not alone. The fallout from this ruling left thousands of American companies scrambling for an alternative data transfer mechanism with Europe. Add to this the complexity and uncertainty of Brexit, some real questions about the validity of Standard Contractual Clauses (SCCs), and you have the makings for quite an interesting year for privacy professionals.
According to PrivacyShield.gov, the Privacy Shield framework was relied upon for EU/US transfers by an estimated 4,051 American companies. After the ruling, there was a very short runway for moving to other transfer mechanisms (none of which are straightforward or provide a clear future). Among them are Binding Corporate Rules (BCRs), SCCs and as a last resort, Derogations.
What Is Next For Transatlantic Data Transfers?
On July 3, 2023 the U.S. Secretary of Commerce issued a statement saying the U.S. had fulfilled its commitments for the establishment of the EU-U.S. Data Privacy Framework (DPF). The statement went on to detail some of the conditions met. It is now left to the Europeans to decide if the changes committed to by the U.S. Department of Commerce meet the GDPR’s requirements for adequacy. With 10 (and counting) comprehensive state privacy laws enacted in the U.S., we can only wonder how much longer the U.S. can go without a comprehensive national privacy law. It has certainly been an uphill battle but seems logical that there will be renewed interest in a single law.
Conclusion
Data movement between Europe and the U.S. is essential to international commerce. A stable and clearly understood transfer framework is critical for businesses operating internationally to remain compliant and manage their technology and processes. The progress being made by The U.S. Department of Commerce to replace Privacy Shield seems to be just in time. We will be watching closely to see if this puts a comprehensive U.S. privacy law front-and-center for U.S. lawmakers and if this is the beginning of Schrems III.