Posted on 1/18/2017 2:45:41 AM By Alexis Payne


In October 2015, the Court of Justice of the European Union (“CJEU”) in the Schrems case invalidated Safe Harbor protection for the transfer of EU residents’ personal data from EU countries to the U.S.  In response to the demise of Safe Harbor, the EU and the U.S. devised the “Privacy Shield” agreement in August 2016 to resolve issues the CJEU identified in its decision.

Like Safe Harbor, Privacy Shield governs the steps a U.S. organization needs to take in order to ensure that personal data moving out of the EU is adequately protected once received in the U.S..  The Privacy Shield also relies on self-certification, but is far more stringent in terms of notice, consent, recertification, adopting efficient mechanisms to address privacy concerns by EU citizens, and oversight by U.S. governmental agencies.

However, in what has become a concern for U.S.-based businesses, recent developments have called into question the protections afforded under the Privacy Shield. Although the EU Article 29 Working Party (a committee of EU governmental Data Protection Authorities) have agreed not to file any challenges to the Privacy Shield until this summer, several private organizations have filed legal challenges in EU member state and national forums. As a result, the CJEU may ultimately be asked to examine the Privacy Shield and, possibly, invalidate it. This prospect has raised concerns by businesses who once believed their transition from Safe Harbor to Privacy Shield certification protected them.

Despite the recent challenges, Privacy Shield certification is still a recommended way to transfer modest amounts of personal data. The Schrems case raised issues about the sufficiency of Safe Harbor at the time of the case. The developers of the Privacy Shield, with the review and backing by U.S. and EU authorities, designed it with such concerns in mind. Moreover, the benefits to Privacy Shield certification are that the application process is straightforward and Privacy Shield certification allows businesses to represent that the U.S. has sanctioned their data transfer systems.

The hope is that the CJEU recognizes the balance the Privacy Shield struck between individual privacy and the needs of businesses. But there still exists uncertainty for transfers of personal data from the EU to the U.S. and businesses need to pay attention to developments in this respect. If you have any questions regarding Privacy Shield certification or other matters relating to international transfers of personal data, please contact us.

"Data Privacy"