Table of Contents
What is the EU-US Privacy Shield?
The Privacy Shield was a legal framework that governed the process of transferring personal data between the European Union and the United States. The laws were meant to ensure adequate protection and safeguards to transfer personal data by adhering to EU data protection requirements outlined in the GDPR.
The EU-US Privacy Shield Framework was joint legislation between the U.S. Department of Commerce, the European Commission, and the Swiss Administration. It strictly outlined how data can be shared transatlantically for commercial purposes between the U.S., EU member states, and Switzerland.
The Privacy Shield program was negotiated by the Obama Administration and came into effect in 2016, overturning the previous Safe Harbor agreement. However, it only lasted about four years and was struck down by the European Court of Justice in 2020, which ruled that the data protection safeguards and personal data protections under the agreement were not up to European Union standards.
The Seven Privacy Shield Principles
The Privacy Shield Framework addressed the differences in data privacy regulation within the context of commercial activities between European and American legislation. In short, the guidelines only applied to data regarding EU and Swiss citizens being transferred from Europe to the U.S. — not the other way.
That's because laws like the General Data Protection Regulation imposed rigid requirements when transferring personal data within the European Union, but no such federal data protection laws existed in the U.S.
This was a legislative black hole that had started to impact transatlantic commerce — North American companies needed to be able to process the personal data of EU residents but did not have a similar framework back home.
Data collections and transfers that only involved U.S. citizens by a U.S. organization or EU/Swiss citizens by EU member states or Switzerland were not impacted by the legislation. The Privacy Shield Framework prioritized seven major principles as part of the regulations.
This principle can be defined as a “right to know.” The Notice principle states that organizations must inform individuals that they’re participating in the Privacy Shield. Additionally, organizations must provide a link or website address that points consumers to the organization’s entry in the Privacy Shield List and adherence to the guidelines.
As with GDPR and CPRA guidelines, organizations must explicitly state what types of data are collected, why information is collected, and how individuals can access their data and request its removal or limitation if they wish to do so. Likewise, organizations had to provide a valid form of communication for consumers to make requests or limitations.
The Choice Principle centers around providing adequate opportunities and access for consumers to “opt-out” of having their personal information collected or shared. More importantly, this option must be explicitly available on an organization’s website.
The Choice Principle goes a step further by also requiring that when sensitive and identifiable information such as health or medical records, racial and ethnic details, religious or political affiliation, sexual orientation, or even organizational affiliations might be collected, the organization must first require an opt-in from the consumer.
The company must also give notice if such information will be shared with third parties — and require that third-party organizations also treat the information as sensitive.
3. Accountability for Onward Transfer
This principle is meant to limit the scope of how personal information is handled when transferred to a third-party organization. Both commercial parties must abide by the Notice and Choice principles outlined above.
Additionally, the scope of use must be limited to specific purposes that align with the consent request agreed to by the consumer. For example, assume a company promises to use consumer emails solely to verify that the account holder is real, and shares those emails with a third-party organization. The data recipient can’t then begin using those emails for marketing outreach unless the consent request from the original organization explicitly stated that the emails would be used in this manner.
The Accountability for Onward Transfer principle also holds third-party data recipients to the same standards as the initial data collectors regarding data security. Also, the third party has the added responsibility of notifying the original data holder company if they can no longer process and maintain data security within the Framework’s guidelines.
Unsurprisingly a Security principle also exists. It essentially maintains that organizations collecting, maintaining, or sharing personal information from consumers must ensure that the proper measures have been taken to protect the data from loss, misuse, alterations, abuse, or unauthorized access.
5. Data Integrity and Purpose Limitation
The Data Integrity and Purpose Limitation principle continues with what’s been stated in the Choice and Accountability for Onward Transfer principles. Whereas Accountability for Onward Transfer is more specifically focused on how third-party organizations treat the data they receive, the fifth principle reiterates these expectations for the organization that originally collected information from consumers.
Just like their third-party recipients, the original organization cannot use data in ways that weren’t confirmed when consumers gave consent. Continuing with the email collection example from the third principle, the original organization would also be barred from using the emails received to build a mailing list for marketing campaigns.
Companies cannot prevent individuals from accessing data that was collected. The Access principle requires that organizations give individuals the ability to not only access any personal information that was submitted, but to make changes, amend how it can be used, or even delete that information to prevent future use.
The only time this principle isn’t required is if giving a consumer access would create an undue burden on the company or potentially expose other people’s personal information.
7. Recourse, Enforcement, and Liability
Naturally, there has to be a mechanism in place to ensure that these principles are being upheld. The seventh and final principle requires that organizations provide reliable methods for individuals to file complaints as well as to investigate them.
Likewise, mechanisms must be ready to prove that any privacy protection claims made by the organization are being honored. If any breaches in behavior are found, the organization must also be ready to correct any failures as well as respond promptly to official communications from the Privacy Shield Framework Department — regardless of whether the request comes from an EU member state, the Swiss government, or the U.S. government. The Recourse, Enforcement, and Liability principle also requires that organizations have to make any non-compliance violations from the FTC public.
Why Was Privacy Shield Invalidated?
Although the Privacy Shield Framework did attempt to create a unified data collection and management agreement between disparate governing bodies, it wasn’t without detractors. There were two primary complaints about the legislation.
First, many EU legislators felt that the Framework didn’t effectively find a balance between the EU’s citizen-focused regulations versus the market-driven U.S. approach. Additionally, many EU privacy advocates took exception to the fact that the Framework was designed in a way that still gave more leeway to the U.S. government.
Second, a common complaint was that, especially in a post 9-11 and Patriot Act America, U.S. intelligence agencies could supersede the Privacy Shield Framework to surveil incoming data from the EU under the guise of national security. The Framework failed to effectively address how this concern was being prevented.
Although the Privacy Shield Framework went into effect in 2016, by 2017 it was already being legally challenged. In 2019, the Court of Justice of the European Union (CEJU) was already chipping away at the Framework through a preliminary case known as Data Protection Commissioner v Facebook Ireland, or Schrems II for short. The judgment outlined potential ways in which data transfer could be used for nefarious purposes, explicitly under regime changes. And, given the Cambridge Analytica scandal, this was a valid concern.
Eventually, on July 16, 2020, CEJU struck down the Privacy Shield Framework as invalid because it lacked the necessary protections for EU citizens against government surveillance. The Swiss followed a few months later when the Federal Data Protection and Information Commissioner (FDPIC) released a statement that the Swiss-U.S. Privacy Shield Framework failed to effectively provide an adequate level of protection for data transfers that originated in Switzerland and terminated in the U.S. However, transatlantic data transfers did continue.
Privacy Shield Replacement
While the Privacy Shield Framework is no more, commercial enterprises in the U.S. do still have guidelines they can follow to stay compliant with EU data transfer expectations. For the past two years, organizations could look to the Standard Contractual Clauses (SCCs) expectations under EU privacy laws.
However, even this fell short as SCCs struggle to provide guidance when two countries (such as the EU and the U.S.) have opposing legislation on data collection — specifically relating to potential interception by government agencies.
Trans-Atlantic Data Privacy Framework
On October 7, 2022, under the Biden administration, the Trans-Atlantic Data Privacy Framework was adopted under an executive order and later approved for “draft adequacy” in the EU on December 13, 2022. This means that for now, the new Framework is provisionally approved. However, challenges may occur as with the previous agreement. While much of the original Framework is still in place, the new version provides the protections against U.S. intelligence agency surveillance that were missing and needed in the original Framework by many EU officials.
In particular, new additions such as a Data Protection Review Court under the U.S. Department of Justice (DOJ) give EU citizens and government officials a dedicated point of contact to accept and review surveillance complaints. Shifting the complaint management from the Department of State to the DOJ has been viewed as a smart move that eliminates concerns about regime overreach since the DOJ is not considered an intelligence gathering organization — thereby not being biased towards blanket support for surveillance activities.
Understanding Basic EU-US Privacy Regulations
For commercial purposes, the U.S. essentially relies on a somewhat disjointed patchwork of regulations enforced by both federal and state jurisdictions. At the federal level, the government relies on the antiquated Section 5 of the Federal Trade Commission Act from 1914. Meanwhile, state regulations such as the California Consumer Privacy Act of 2018 (CCPA which was later expanded by the state’s passage of the CPRA in 2020) or the Connecticut Data Privacy Act of 2022 (CTDPA) are far more explicit on data privacy and access expectations.
By contrast, the EU has a clearly defined overarching policy that explicitly outlines how the governing body expects commercial enterprises to behave regarding personal data collected from citizens within its member states and how those citizens can access and make changes to it. The latest iteration of the EU’s law is known as the General Data Protection Regulation (GDPR) which went into effect in 2018.
Why an International Privacy Shield is Needed
While legislation like GDPR, CPRA, and CTDPA provide a framework for how consumer data should be handled within an organization and what notices must be provided to consumers regarding data usage, these regulations don’t always explicitly state how data should be handled when transferred between organizations — especially internationally.
Considering that data sharing via processing, rental, or co-marketing campaigns is a common practice, confirming that consumer privacy is still upheld when sharing data with third parties is why privacy shields are necessary.
Wrap-up & Key Takeaways
As with any other privacy laws, commercial enterprises need to be mindful of how data is being used. If you’re relying on the internet to attract and interact with your target audience, there are a few key takeaways you need to understand under the now-invalid Privacy Shield Framework and the provisional Trans-Atlantic Data Privacy Framework.
First, be mindful of how you’re handling customer data — no matter where it originates. As a commercial enterprise, be transparent about what information you’re collecting, how you’re using it, and what other entities (if any) may be given access to it. Likewise, be sure that consumers have proper recourse to access, change or request for their data to be deleted. Additionally, if you do share data with third parties, they better be trustworthy and able to meet the same standards your business is committing to within the Framework.
Understandably, managing privacy policies, regulations, and protocols isn’t always a skill that business owners possess. Thankfully, Enzuzo is a turnkey solution that can help you automate consumer consent and data request management while maintaining compliance with major privacy regulations such as GDPR, and CCPA.
Osman is the content lead at Enzuzo. He has a background in data privacy management via a two-year role at ExpressVPN and extensive freelance work with cybersecurity and blockchain companies. Osman also holds an MBA from the Toronto Metropolitan University.