Fact Sheet of the European Commission about the EU-U.S. Privacy Shield

1. March 2016

On the 29th February 2016, the European Commission released a fact sheet about the Frequently Asked Questions related to the EU-U.S. Privacy Shield. The EU-U.S Privacy Shield aims at regulating international data transfers between the EU (including EEA countries Norway, Lichtenstein and Iceland) and the U.S. after the Safe Harbor Decision was declared invalid by the ECJ on October 2015.

The EU-U.S Privacy Shield is a new adequacy decision, under which the U.S. companies that comply with the described data protection principles and abide the obligations described in the framework, will be considered as ensuring an adequate level of data protection.

In contrast to the former Safe Harbor Decision, the EU-U.S. Privacy Shield imposes stronger obligations on companies related to monitoring and enforcement and prevents generalized access to EU personal data from U.S. public Authorities.

Under the Privacy Shield, U.S. companies will have to self-certify that they meet the requirements described in the Framework. The U.S. Department of Commerce will actively verify that the certifying company actually meets the requirements to certify, for example by reviewing the company´s privacy policy.

A key aspect of the Privacy Shield is the possibility for EU data subject to obtain redress in the US in case that their personal data is misused by commercial companies. The possibility to redress involves the following alternatives for the data subject:

  • to lodge a complaint with the company itself, or
  • to complaint towards their local DPA, or
  • to use the Alternative Dispute Resolution (ADR) mechanisms, or
  • through arbitration by having recourse to the Privacy Shield Panel, if the case is not resolved by any of the abovementioned alternatives.

The possibility to redress with regard to national security will be ensured by the institution of the Ombudsman.

All these aspects of the new EU-U.S. Privacy Shield have been reflected in the Judicial Redress Act, signed on February, 24th. This Act gives EU citizens the possibility to address privacy issues to U.S. Courts in relation to personal data transfers for law enforcement purposes. This Act aims at providing EU citizens with the same rights as U.S. citizens.

Also, the so called EU-U.S. “Umbrella-Agreement” covers relevant aspects of data protection regarding EU-U.S. law enforcement cooperation for the purposes of crime and terrorism prevention. This agreement is not a legal basis for data transfers itself, but it will provide safeguards for data transfers made under other existing agreements.

Category: EU Commission · European Data Protection · USA
Tags: