The EU/US Privacy Shield Framework


Introduction – what is the Privacy Shield Framework?

On 24 October 1995, the European Commission’s Data Protection Directive came into effect, prohibiting the transfer of privacy information of European residents to Non-European Union countries that fail to comply with the EU’s “adequacy” standard for data protection. Because there exist strong commercial ties between the EU and the US, transfer of personal data plays a major role in the transatlantic relationship, most especially in the modern day digital economy.

Most transactions involve the collection and processing of individual personal data such as your names, date of birth, telephone numbers, residential and email addresses, credit card information, medical data, gender, marital status as well as other information that identify one’s personality, beliefs and sentiments.

The issue here is that, when you

  • engage in the buying of goods and services online or
  • make use of social media platforms or
  • cloud-based storage services or
  • you’re appointed a staff member of an EU-based corporation using a US company to manage its personal data;

your private information gets transferred.

Enter the EU-US Privacy Shield Framework!

The PSF enables companies in the US to receive personal data transferred from the EU, subject to the fact that the company receiving and processing such personal data must maintain a high level of protection under set rules.

How does the Privacy Shield Framework Work?

Transferring personal data from the EU to the US involves a series of tools like binding corporate rules, contractual clause and the PSF itself. The framework involves US companies first signing up with the Department of Commerce to take part in the PSF, which is administered by the International Trade Administration; a body within the US Department of Commerce.

The Department ensures that companies comply with their obligations. For companies to gain certification, they must first develop and establish a privacy policy that must relate to the PSF principles. All companies are obligated to renew their membership annually. Failure to comply with these directives will effectively bar them from receiving and processing personal data transfer from the EU as stated under the framework.

To verify if a company in the US is fully registered under the framework, you can check the Privacy Shield Framework website of the Department of Commerce.

The list contains details of the companies partaking, the kind of personal data they are using and the services they are rendering.

So what happened to the PSF’s predecessor – the “Safe Harbor Framework” – and why was it invalidated?

It is common knowledge that the privacy law formulated by the EU forbids the transfer of EU citizens and residents data to any other location unless such a location is in compliance or considered adequate with the EU’s privacy protection regulation.

So, what was the ‘Safe Harbor Framework?’ The SHF was a privacy protection agreement entered into by the European Commission (EC) and the United States Government, represented by the Department of Commerce, promising to protect the personal data of EU residents when transfered to the US.

The SHF agreement, which was established in 2000, enabled U.S. companies such as Goggle and Facebook etc., to certify themselves, obliging to protect the personal data of EU citizens when transfered to and kept within U.S. data centers.

The SHF constitutes seven main data protection principles for which the Department of Justice assumed that any company that is a signatory to it would definitely comply with the provisions thereof. Unfortunately, this type of arrangement did not go so well with Austrian Privacy Laws, and the events that characterized the release of sensitive U.S. intelligence data by whistleblower Edward Snowden, further escalated the already tense atmosphere. Austrian Privacy watchdogs argued that such leaks meant that the private data of EU citizens could have been shared with U.S. authorities without due process. Max Schems, the Austrian privacy campaigner, launched a legal action in Ireland against Facebook, which eventually ended up in the European Court of Justice.

In the context of its landmark decision, the ECJ outlined the following points:

  • That the Directive standard requires a third country’s rules and regulations to provide an “adequate” level of protection for all personal data in its care in compliance with the Directives of the EU.
  • That the Safe Harbor Framework, after thorough scrutiny by the court, had failed in its commitment to comply with the standard as it relates to the enforcement and managing access to personal information by intelligence agencies, in accordance with the ability of EU citizens to enforce and exercise their fundamental rights.
  • The ECJ questioned the rigor by which the Federal Trade Commission enforced the Safe Harbor framework and faulted the SHF’s reliance on self-certification, requiring the framework be dependent on “supervision mechanism and effective detection” before it could protect the “fundamental rights” in actual practice.
  • The court further stated that the framework and the implementation of its principles entailed that national security, law enforcement requirements or public interest are more important than the SHF’S principles. It meant that self-certified U.S. companies receiving and processing personal data transfered from the EU were conditioned to disregard such principles without any limitation or control where they allegedly conflicted with those requirements.
  • In reference to the Snowden leaks and the fact-finding 2013 report by the EU Commission on companies involved in the PRISM program (which required unrestricted access to data for U.S. intelligence agencies) the ECJ ruled that the systematic collection and processing of EU citizens’ personal data by U.S. intelligence bodies, contravened and greatly undermined the fundamental Human Rights Laws of EU Citizens.

Finally, on 6 October 2015, the European Court, relying overwhelmingly on its conclusion regarding the SHF’s inability to provide EU citizens sufficient protection and enforce their personal data rights as stipulated under the EU’s privacy protection Directive or to seek judicial review of alleged violations, declared the Safe Harbor Framework agreement “invalid” and no longer binding.

How the Privacy Shield Framework relates to and functions with the General Data Protection Regulation

The cancellation of the Safe Harbor Framework by the ECJ marked a new dawn in the life of data protection, followed by the creation of the General Data Protection Regulation (GDPR) by the EU and now the EU/US Privacy Shield Framework, a newly devised EU-US privacy protection agreement.

For various organizations such as legal firms, technology providers and in-house corporate counsel; these new legal developments and regulations pose a major challenge in interpreting and understanding the complexity of these incoming rules.

First, to understand how best these two new rules can relate and work with one another we have to consider briefly what exactly each of them represents.

The EU-US Privacy Shield Framwork:

A newly designed legal framework that seeks to enforce transatlantic personal data transfer between the EU and the US. It is the successor agreement of the Safe Harbor Framework. The ultimate aim of the PSF is to ensure legal certainty for businesses and to protect fundamental rights of EU citizens whose private data were transferred to the U.S. and/or processed by U.S. companies.

The main features of the Privacy Shield include:

  • Stronger obligation, monitoring, and enforcement by the Department of Commerce and the FTC on U.S. companies collecting and processing personal data of EU citizens to protect such data.
  • Effective and timely protection of the rights of EU citizens, with the ability to seek some redress.
  • That under the new rule, access to all personal data by U.S. authorities is subject to clear and precise conditions, oversight and limitations.
  • An annual joint review process.


The General Data Protection Regulation is the prime body that replaces the previous and now defunct “Data Privacy Directive”. Its main focus is on unifying the different data regulations existing in the EU countries while simplifying cross-border workings along and outside the EU.

The GDPR main features include:

  • Heavy fines and punishment for companies for breach of the GDPR, amounting up to 20 million Euros or 4% of the global turnover rate.
  • That data protection must be incorporated by design into all business dealings with EU citizens’ personal data and that additional measures must be adopted to safeguard such data.
  • Introduction of data processing policies and impact assessments that aim to hold companies accountable and responsible for their data practices.
  • It applies all across the EU but is also enforceable against companies outside of the EU that are doing business involving EU citizens’ personal data.
  • Individuals have the right to access or erase their data at any time.

From the above main points and features of the two rules, it is clear that they both have one thing in common: Maximum protection of EU citizen’s personal data rights and privacy.

But how would they really work together?

First, it must be noted that the GDPR will not be operational until May 25, 2018, while the Privacy Shield Framework received approval by the European Commission on July 12, 2016 after a hearing with a group of data protection regulators known as ‘Article 29 Working Party’.

One of the major areas where these two rules could either work together – or result in conflicts – is in ‘cultural differences’ to privacy that exist in the US compared to the EU, as well as the various circumstances that resulted in the creation of the rules in the beginning.

For instance, while the GDPR proceeded directly from the EU’s willingness to protect the privacy rights of its citizens in the face of technological advances, the Privacy Shield, in sharp contrast, came into being in the aftermath of a major court decision that successfully killed its predecessor—the Safe Harbor Framework.

The ideological differences are highly visible. Especially when you consider that in the US, the right of a person to erase their data is very much limited unlike in Europe, where the GDPR requires that every person has right of data erasure (a.k.a. ‘right-to-be-forgotten’).

Let’s see what happens!


Although it is clear from the onset that the aim of the GDPR and that of the EU-US Privacy Shield Framework is to protect the rights of European cititzens (a.k.a data subjects), the discrepancies in ideology, culture and national interest are always bound to make these two new data protection legislations strange bedfellows.

On July 12, 2016, the European Commission deemed the EU-U.S. Privacy Shield Framework adequate to enable data transfers under EU law.



Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.