The EU–US Privacy Shield was a framework for regulating transatlantic exchanges of personal data for commercial purposes between the European Union and the United States. One of its purposes was to enable US companies to more easily receive personal data from EU entities under EU privacy laws meant to protect European Union citizens. The EU–US Privacy Shield was a replacement for the International Safe Harbor Privacy Principles, which were declared invalid by the European Court of Justice in October 2015. The ECJ declared the EU–US Privacy Shield invalid on 16 July 2020.
History
In October 2015 the European Court of Justice declared the previous framework called the International Safe Harbor Privacy Principles invalid in a ruling that later became known as "Schrems I". Soon after this decision the European Commission and the U.S. Government started talks about a new framework and on February 2, 2016 they reached a political agreement. The European Commission published the "adequacy decision" draft, declaring principles to be equivalent to the protections offered by EU law. The Article 29 Data Protection Working Party delivered an opinion on April 13, 2016, stating that the Privacy Shield offers major improvements compared to the Safe Harbor decisions, but that three major points of concern still remain. They relate to deletion of data, collection of massive amounts of data, and clarification of the new Ombudsperson mechanism. The European Data Protection Supervisor issued an opinion on 30 May 2016 in which he stated that "the Privacy Shield, as it stands, is not robust enough to withstand future legal scrutiny before the Court". On 8 July 2016 EU Member States representatives approved the final version of the EU-U.S. Privacy Shield, paving the way for the adoption of the decision by the Commission. The European Commission adopted the framework on 12 July 2016 and it went into effect the same day. U.S. President Donald Trump signed an Executive Order entitled "Enhancing Public Safety" which states that U.S. privacy protections will not be extended beyond US citizens or residents: The European Commission has stated that: The Commission said it will "continue to monitor the implementation of both instruments".
Response
German MEPJan Philipp Albrecht and campaigner Max Schrems criticized the new ruling, with the latter predicting that the Commission might be taking a "round-trip to Luxembourg". Many Europeans demanded a mechanism for individual European citizens to lodge complaints over the use of their data, as well as a transparency scheme to assure that European citizens' data does not fall into the hands of U.S intelligence agencies.
Legal challenge
The Privacy Shield has been challenged legally by privacy groups., it is not clear whether the cases will be considered admissible. As of February 2017the future of the Privacy Shield was contested. One consultant, Matt Allison, predicted that "The EU's citizen-driven, regulated model will swiftly come into conflict with the market forces of the US and the UK." Allison summarized a new paper in which the European Commission lays out its plans for adequacy decisions and global strategy. As of December 2019, an opinion had been published that might influence the CJEU decision. It outlined various scenarios that may result from the conflict in regimes. The author concluded that the opinion "should generate equal measures of relief and alarm for the U.S. government and for companies dependent on data transfers. A final judgment from the CJEU, which may or may not follow the advocate general’s recommendations, is expected in a few months." A final CJEU decision was published on 16 July 2020 in a ruling called "Schrems II". The EU-US Privacy Shield for data sharing was struck down by the European Court of Justice on the grounds it did not provide adequate protections to EU citizens on government snooping. The ruling does not stop data transfers between the EU and US as the court upheld the use of "standard contractual clauses", allowing specific consent for such transfers. A decision regarding the impact of Brexit on Privacy Shield is expected by 31 December 2020 which may be mooted depending on the CJEU decision.
Swiss-US Privacy Shield
Switzerland is not an EU member but follows many EU policies through treaty implementations. Accordingly, it has implemented its own version of the Privacy Shield Framework through its own Swiss-US Privacy Shield. It is largely similar to the EU-US Privacy Shield Framework, but implements its own DPA instead of various EU DPAs. It also has no grace period and several other meaningful differences to the definition of "sensitive data," binding arbitration, and changes to privacy policies. The EU-US and Swiss-US programs are adequately similar that they are administered together by the United States.
