Cross-Border Data Flow: The EU-US Privacy Shield's Demise

Digital advancement has drastically changed businesses' operations, including increasing global data flows. One consequential aspect of this transformation is the transfer of data across national borders, which poses significant legal, privacy, and security challenges.

The EU-US Privacy Shield was a critical agreement that previously protected data transferred between the European Union and the United States. However, this agreement was eventually invalidated due to security concerns, raising serious questions about the future of transatlantic data exchange.

This article explores the EU-US Privacy Shield, including its core principles and challenges that led to its eventual invalidation. The blog also covers mechanisms organizations use to protect transatlantic data transfers and an updated privacy framework between the EU and the US designed to mitigate challenges in the original Privacy Shield.

Protect your organization’s sensitive data with UpGuard BreachSight >

What was the EU-US Privacy Shield?

The EU-US Privacy Shield was a data privacy framework established in 2016 that regulated transatlantic exchanges of personal data for commercial purposes between the European Union and the United States. It replaced the Safe Harbor agreement, which the Court of Justice of the European Union (CJEU) invalidated due to concerns about American surveillance practices.

The purpose of the EU-US Privacy Shield was to ensure that data transferred from EU member states to the US adhered to European privacy standards while providing an adequate level of protection. The framework mandated precise safeguards and transparency obligations on the U.S. government’s access to data, provided effective protection and civil liberties for individuals, and established an annual joint review mechanism to oversee implementation.

However, the EU-US Privacy Shield was invalidated by the CJEU in 2020 when the court ruled that the framework did not provide sufficient protection against U.S. surveillance programs. Even though no longer valid, the Privacy Shield illuminates the importance of cross-border data protection and the delicate balance of autonomy between separate countries.

Key principles

The EU-US Privacy Shield framework consisted of seven main principles, called the “Privacy Shield List,” which companies in the United States were required to follow to obtain personal data from the European Union. These principles guaranteed that the US’s handling of EU data aligned with EU data protection regulations.

The seven principles that formed the basis of the Privacy Shield Lists included:

1. Notice: Companies must inform individuals about the purpose of collecting and using their personal data, the types of third parties to which they disclose the data, and the fundamental rights and means available to individuals for limiting the use and disclosure of their personal data.
2. Choice: Individuals must have the option to opt out of collecting and forwarding their personal data to third parties or using their data for a purpose other than which it was originally collected or subsequently authorized by the individual. For sensitive information (such as health, racial, or ethnic origin), affirmative express consent must be obtained before the data is shared with a third party or used for a different purpose.
3. Accountability for onward transfer: Data transfers to third parties may only occur in organizations that follow adequate data protection principles. Under this principle, the original party remains liable for protecting the data they transfer to others.
4. Security: Organizations must take reasonable and appropriate security measures to protect personal data from loss, misuse, unauthorized access, disclosure, alteration, and destruction.
5. Data integrity and purpose limitation: Personal data must be relevant and limited to what is necessary for the purposes for which it is processed. Companies must take reasonable steps to ensure that personal data is accurate, complete, and current.
6. Access: Individuals must have access to personal data held about them and be able to correct, amend, or delete that information where it is inaccurate or has been processed in violation of the principles.
7. Recourse, enforcement, and liability: Effective mechanisms must be in place for individuals to exercise their rights under the framework and to ensure compliance by participating companies. This practice includes the possibility of recourse to judicial arbitration and remedies for any non-compliance.

These principles provided robust protection for data transferred from the EU to the US, and their enforcement was overseen by the US Department of Commerce and the Federal Trade Commission, among other regulatory authorities.

Who had to comply with the EU-US Privacy Shield?

The EU-US Privacy Shield framework primarily required compliance from U.S. organizations that collected, used, or processed personal data transferred from the European Union to the United States.

U.S. companies wishing to import personal data from the EU had to participate voluntarily in the Privacy Shield framework. Compliance responsibility extended to third-party processors and organizations that collected data. When transferring EU data to a third-party processor, the original company had to ensure they followed Privacy Shield principles or provided comparable protection.

The compliance process included several steps outlined below.

• Self-certification requirement: To participate in the Privacy Shield program, organizations in the United States had to certify themselves as compliant with the Department of Commerce annually. This certification procedure confirmed their adherence to the Privacy Shield principles, which included data protection requirements just as strict as those in the EU.
• Public Commitment: Companies that self-certified under Privacy Shield publicly committed to complying with its principles, which were enforceable under U.S. law by the Federal Trade Commission (FTC) or the Department of Transportation (DOT). Failure to comply would result in significant legal and financial consequences.‍
• Regular oversight and renewal: Companies who certified themselves as compliant with the Privacy Shield were required to renew their certification annually, which meant continuously maintaining adequate data protection practices in line with evolving EU standards and requirements.

These compliance requirements meant that the Privacy Shield was a significant commitment for U.S. businesses handling European data, requiring rigorous data protection standards and regular oversight to ensure ongoing adherence to its principles.

Benefits of the EU-US Privacy Shield

The European Union and the United States initially implemented the EU-US Privacy Shield to address the gap left by the European Court of Justice’s 2015 invalidation of the Safe Harbor agreement. This earlier agreement was deemed insufficient in protecting European citizens' data from U.S. surveillance, meaning a more robust framework was necessary to protect cross-border data transfers.

Primary benefits of the EU-US Privacy Shield included:

• Restoring trust in transatlantic data flows: The Safe Harbor agreement's invalidation led to disruption in the transatlantic data flow that impacted businesses. The Privacy Shield aimed to restore trust with stronger protections and enforcement mechanisms.
• Enhanced data protection and privacy standards: The Privacy Shield set higher data privacy and security standards, including better compliance monitoring and obligations on companies handling European data.
• Legal certainty for businesses: The Privacy Shield provided a clear legal framework for data transfer from the EU to the US, ensuring legal certainty for businesses relying on data transfers like big tech companies, service providers, and multinational corporations.
• Improved redress mechanisms: The Privacy Shield established more accessible and affordable dispute resolution mechanisms, meaning that Europeans could lodge complaints and seek redress if their data was misused. National intelligence authorities established an ombudsperson to handle complaints about access.‍
• Economic and commercial benefits: The deal facilitated safer and easier EU and US data transfers. It simplified data exchange across major finance, e-commerce, advertising, and telecommunications sectors, supporting transatlantic trade and economic growth.‍
• Alignment with European standards: By requiring US companies to comply with standards closer to the EU's stringent data protection regulations, the Privacy Shield helped align US practices with European norms, contributing to a higher global standard of data protection.‍
• Regular review and monitoring: The framework included an annual joint review mechanism, which allowed European and American authorities to assess the agreement's functioning regularly, ensuring ongoing compliance and promptly addressing any emerging issues.

The benefits of the EU-US Privacy Shield aimed to stabilize and facilitate transatlantic economic relations while ensuring the privacy and protection of transferred personal data. However, the CJEU later found that the Privacy Shield did not adequately protect European citizens from US surveillance, which led to its invalidation despite its advantages.

Why was the Privacy Shield invalidated?

In 2020, the European Court of Justice invalidated the EU-US Privacy Shield in a case commonly referred to as “Schrems II.” The primary cause of invalidation was inadequate protection provided under the Privacy Shield, specifically regarding U.S. surveillance practices (similar to the Safe Harbor agreement).

The Schrems II case focused on a complaint against Facebook Ireland Ltd, where the complainant argued that transferring his personal data from the EU to the U.S. (where U.S. intelligence agencies could access it) did not adequately protect his privacy rights under EU law. The Court’s decision hinged on several critical points, which included:

• US surveillance laws: The CJEU found that US surveillance programs were not limited to what is strictly necessary and proportionate as required by EU law. US laws allowed for broader surveillance of data transferred to the country, which could include the data of EU citizens.
• Lack of protections against surveillance: The Court noted that the Privacy Shield did not provide EU citizens with rights enforceable in US courts against the US authorities or adequate judicial redress.
• Data protection Ombudsperson: The Ombudsperson's role, established under the Privacy Shield to address EU individuals' complaints about national security agencies accessing their data, was deemed not sufficiently independent and lacked the power to make binding decisions on U.S. intelligence services.

Based on these findings, the CJEU concluded that the Privacy Shield did not ensure an equivalent level of protection for personal data as required by EU law. This decision invalidated the Privacy Shield, prompting businesses, intelligence communities, and regulatory bodies to reevaluate and strengthen the mechanisms for transatlantic data transfer.

What replaced the EU-US Privacy Shield?

After the invalidation of the EU-US Privacy Shield, organizations transferring personal data from the European Union to the United States utilized several legal mechanisms to ensure compliance with EU data protection standards. These mechanisms include:

• Standard Contractual Clauses (SCC)
• Binding Corporate Rules (BCR)
• Codes of conduct and certification mechanisms
• Derogations for specific situations
• Data localization

Standard Contractual Clauses

Standard Contractual Clauses (SCCs) are legal contracts created by the European Commission to ensure the protection of any personal data leaving the European Economic Area (EEA) according to European standards. These clauses are the most commonly used mechanism after the invalidation of the Privacy Shield. If an organization is using SCCs, it must also assess whether additional safeguards are necessary to protect data against potential surveillance by US authorities.

After the Schrems II decision, the European Commission updated these clauses to better address the General Data Protection Regulation’s (GDPR) requirements and the CJEU's concerns about U.S. surveillance laws. Companies using SCCs must also conduct a transfer impact assessment to ensure the data recipient country's legal system allows the data importer to meet the clauses' requirements.

Binding Corporate Rules

Multinational companies use Binding Corporate Rules (BCRs) to establish a company-wide privacy policy approved by European data protection authorities. BCRs ensure that data transferred outside the EU within the same corporate group adheres to EU data protection standards. They are especially useful for intra-group data transfers. Large multinational companies must obtain approval from EU data protection authorities for their BCRs.

Codes of conduct and certification mechanisms

In the United States, companies have the option to conform to approved codes of conduct or certification mechanisms designed to protect data subjects' rights. These codes and mechanisms involve a set of binding commitments that a company agrees to comply with, safeguarding personal data and individuals' rights.

These commitments can include provisions for data security, transparency, and accountability, among others. Once a company adheres to these codes or mechanisms, they become enforceable, meaning that if it fails to meet its obligations, it can face penalties and other consequences.

Derogations for specific situations

In certain circumstances, specific derogations or exemptions may apply to data transfers, such as those necessary for a contract's performance, for important public interest reasons, or for the establishment, exercise, or defense of legal claims.

These derogations provide flexibility to data protection regulations to ensure that data transfers can be made securely and lawfully, even in exceptional circumstances. It is important to note that such derogations should be used sparingly and only when no other reasonable alternative is available.

Data localization

Given the increasing concerns surrounding the safety and security of personal data, some organizations may opt to process their data locally within the EU. By doing so, they can avoid the complexities and risks of cross-border data transfers altogether.

Localizing data processing activities within the EU ensures that the data remains within the jurisdiction of the EU's strict data protection laws, such as the GDPR, which provides a higher level of protection for the individual's right to privacy. It also simplifies the data management processes, eliminating the need for additional compliance requirements and mitigating the risk of data breaches.

The future of transatlantic data protection

Following the Court of Justice of the EU's decision to invalidate the previous adequacy decision on the EU-U.S. Privacy Shield, the European Commission and the U.S. government engaged in discussions to establish a new framework that could address the concerns raised by the Court.

President Biden’s 2022 Executive Order on “Enhancing Safeguards for United States Signals Intelligence Activities” directly addressed concerns raised in the Shrems II decision and further progressed discussions toward a new transatlantic data flow framework.

The EU-US Data Privacy Framework

In 2023, the European Commission adopted a new privacy law called the EU-US Data Privacy Framework (DPF), which became effective after an adequacy decision. The framework aims to protect data from Europe that enters the U.S. and features enhanced safeguards. These safeguards limit US intelligence services' access to US data.

The framework also established the Data Protection Review Court (DPRC), which provides EU individuals with a means of accessing specific situations. For example, if the DPRC determines that data has been collected in violation of the new safeguards, it has the authority to order the deletion of the data. The new safeguards related to government access to data will complement the obligations that US companies importing data from the EU will need to comply with.

US companies can join the EU-US Data Privacy Framework by committing to comply with a detailed set of privacy obligations. These obligations include deleting personal data when it is no longer necessary for the purpose for which it was collected. The companies will also need to ensure continuity of protection when personal data is shared with third parties.

The EU-U.S. Data Privacy Framework will be reviewed periodically by the European Commission, representatives of European data protection authorities, and competent US authorities.

Secure your organization’s data with UpGuard

Data protection is vital whether your organization transfers sensitive information from one side of the world to the other or just across a conference table during a meeting. Prevent vulnerabilities from becoming security incidents with our all-in-one external attack management software, UpGuard BreachSight.

UpGuard BreachSight helps you confidently manage your attack surface, allowing you to discover and remediate risks 10x faster with continuous attack surface monitoring. View your organization’s cybersecurity at a glance with our user-friendly platform, which you can also use to communicate internally about risks, vulnerabilities, or current security incidents. Features include:

• Continuous monitoring: Get real-time information and manage exposures across domains, IPs, and employee credentials.‍
• Attack surface reduction: Reduce your attack surface by discovering exploitable vulnerabilities and domains at risk of typosquatting‍.
• Workflows and waivers: Simplify and accelerate how you remediate issues, evaluate risks, and respond to security queries.‍
• ‍Reporting and insights: Access reports tailored for stakeholders and view information about your external attack surface.‍‍
• Data leak detection: Protect your brand, intellectual property, and customer data with timely detection of data leaks and avoid data breaches.