The EU-U.S. Privacy Shield was established in 2016 as a cross-border agreement between the European Union (EU) and the United States (U.S.) to allow the transfer of data between the two under certain guidelines. This agreement replaced the outdated Safe Harbor Act, which was not enforced well and was lenient with penalties.

The increase in privacy regulation around the globe this year has highlighted the importance of establishing frameworks to govern data transfers across borders. Over the last year, as the GDPR went into effect, the European Data Protection Board and the U.S. Department of Commerce have been negotiating enhancement measures for the Privacy Shield that will satisfy the EU’s new requirements. In this post, we examine how the EU-U.S. Privacy Shield agreement is evolving in the light of this regulatory change and provide an update on current negotiations.

Why Is the Privacy Shield Necessary?

The Privacy Shield provides organizations with a framework for the legal transfer of data from the EU to the U.S. The Privacy Shield gives U.S. organizations the opportunity to meet EU adequacy standards and provide the EU with a commitment to data protection, despite the absence of a federal U.S. privacy law. The Privacy Shield is much more stringent than its predecessor, the Safe Harbor Act, in a couple ways. First, it increases enforcement, oversight, and penalties for non-compliance for organizations who self-certify. The Privacy Shield also applies to both controllers and third-party processors, increasing a number of U.S. organizations that can be in scope.

The Evolution of the Privacy Shield

At the first annual review of the Privacy Shield in September 2017, the EU expressed its concerns over how the U.S. has implemented the Privacy Shield, citing the following key issues:

1. U.S. organizations were falsely claiming adherence to the Privacy Shield framework;

2. The Federal Trade Commission’s (FTC) lack of ability to enforce Privacy Shield and implement stringent policies; and

3. The absence of a U.S. supervising entity responsible for addressing privacy complaints (separate from FTC).

While differences between the EU and U.S. are evident when it comes to the Privacy Shield, both sides are optimistic about the future of the agreement.

Recent Privacy Shield Updates

Over the week of October 20, 2018, the EU and U.S. review panel met in Brussels for the second annual review of the Privacy Shield. The U.S. delegation countered the EU’s concerns by offering assurances to limit the U.S. intelligence community’s access to EU citizens’ information. Placing a greater emphasis on limiting interference would enhance data protection and increase transparency. The European Commission is also requiring an increase in FTC regulation and the addition of a permanent ombudsperson to quickly address privacy complaints.

What Happens Next?

Following the second annual review, both representative bodies displayed a commitment to the Privacy Shield, despite the EU’s call for the FTC to take a more active approach to monitoring and conducting audits. This meeting highlighted an increasingly positive relationship between the EU Commission and U.S. Department of Commerce as they attempt to reconcile their differences over data protection.

With a greater commitment from the U.S., negotiations are advancing, and U.S. organizations should again consider Privacy Shield self-certification as a good option for the legal transfer of data across the Atlantic. Currently, the EU and U.S. are finalizing the development of policies to address the EU's concerns, and final decisions are expected to be published at the end of November 2018. As decisions are made, we will continue to publish updates.

Sign up for the Focal Point Privacy Pulse, our monthly newsletter for regular updates on global privacy regulations like the Privacy Shield.