Electronic Discovery & Information Governance - Tip of the Month: Preparing to Meet Strengthened Commitments to Privacy Under the New EU-US Privacy Shield

Author:Mr Kendall Burman and Kim A. Leffert
Profession:Mayer Brown


A large company with offices in Europe and the United States had self-certified to adhere to the EU-US Safe Harbor framework and relies on the framework for its intra-company transfers of data. Then the Safe Harbor framework is struck down by the Court of Justice of the European Union. The company's general counsel is pleased to learn that a new framework, the EU-US Privacy Shield, has been proposed, but isn't sure what the company will need to do to comply with the new Privacy Shield if the new framework is formally adopted.


In October 2015, the Court of Justice of the European Union ("CJEU") held that transfers of personal data from Europe to the United States made under the so-called EU-US Safe Harbor scheme were invalid, as those transfers did not ensure an adequate level of protection under European data protection law. The case was filed by Max Schrems, a Facebook subscriber from Austria, who complained that the Safe Harbor framework failed to adequately protect his data when it was transferred by Facebook from Ireland to the United States.

In the aftermath of the decision, the Article 29 Working Party (the organization that represents the data protection authorities of the European Union) set the end of January as the deadline by which representatives of the European Union and the United States had to find solutions to address the CJEU's decision in Schrems. Negotiations between the European Union and the United States to improve the Safe Harbor framework had been ongoing since the framework first came under scrutiny after Edward Snowden's revelations concerning US surveillance.

Announcement of New Privacy Shield

On February 2, 2016, the European Commission announced that it had reached a high-level agreement on a series of measures with the United States to resolve the issues identified in the CJEU's ruling. The new framework is called the EU-US Privacy Shield, and it includes the following commitments:

An organization must publicly commit to the manner in which, and the purposes for which, it will process personal data in the United States and agree to comply with enhanced requirements about the manner in which personal data will be processed by it. Existing restrictions concerning onward transmission of personal data from the United States to other countries will be tightened. Each organization that certifies that it complies with the EU-US Privacy Shield scheme will have its compliance with the scheme...

To continue reading