The EU-US and Swiss-US Privacy Shield Frameworks provide companies with a data protection compliance mechanism when transferring personal data from the EU and Switzerland to the US for commercial purposes.
Under the EU General Data Protection Regulation (GDPR), personal data can be transferred outside of the EU based on one of the following grounds:
The EU-US Privacy Shield is recognized as an adequate transfer mechanism for transfers of personal data from the EU to the United States. Over 4600 companies have already certified, including Google, IBM, Facebook, LinkedIn, Twitter, and Microsoft.
Switzerland and the US have their own agreement, called the Swiss-US Privacy Shield, which mirrors the EU-US Privacy Shield agreement. Together with the Swiss Federal Data Protection Act, the Swiss-US Privacy Shield parallels the dynamic between the EU-US Privacy Shield and GDPR.
The Safe Harbor Privacy Principles were jointly developed by the European Commission and the US Department of Commerce to allow for the personal data transfer under the previous EU privacy directive and were recognised by the EU Commission with a decision in 2000.
The Snowden effect in 2013 sparked calls to suspend the Safe Harbor Principles, and the Commission initiated a re-negotiation. While the negotiations were ongoing, Case C-362/14 Maximillian Schrems v Data Protection Commissioner was referred to the Court of Justice of the EU by the Irish High Court. In October 2015, the Court of Justice declared that the Safe Harbor framework "fail[ed] to comply with the requirements" of adequate protection as per EU privacy law and is therefore invalid.
To address the ensuing legal uncertainty, on 12 July 2016, the US Department of Commerce and the European Commission announced the launch of a new EU-US Privacy Shield framework to replace the former Safe Harbor Principles as a new transfer mechanism enabling transfers of personal data from the EU to the US.
On 12 January 2017, the Swiss Federal Government approved the Swiss-US Privacy Shield Framework as a valid legal mechanism to allow for the transfer of personal data from Switzerland to the US.
EU and Swiss companies require adequate safeguards when transferring their personal data abroad, and the EU-US and the Swiss-US Privacy Shields are a straightforward mechanism to allow for the such transfer to a US company. Therefore, if you as a US company receive personal data of EU and Swiss companies on a regular basis, the Privacy Shield self-certification process can prove more efficient than similar safeguards, such as the contractual Model Clauses.
Certification is especially useful for US companies in the following cases:
It is important to note that the Privacy Shield does not constitute GDPR compliance per se. It is simply a safeguard mechanism that allows EU and Swiss companies to transfer personal data to the US.
The Privacy Shield sets forth seven commonly recognized privacy principles:
At LEXR, we have developed a Privacy Shield Package to help you certify – you can contact us for a free initial consultation.