On July 12, 2016, the European Union and the United States announced the EU-U.S. Privacy Shield Agreement, which replaced the Safe Harbor Agreement that had been in place since 2000. The agreement was designed to provide a legal framework for the transfer of personal data between the EU and the U.S., with the goal of protecting the privacy rights of EU citizens.
Under the Privacy Shield, U.S. companies that wish to receive personal data from the EU are required to self-certify that they meet certain data protection standards, which are reviewed by the U.S. Department of Commerce. The EU also has the right to conduct its own assessments of participating companies to ensure compliance with the agreement.
While the Privacy Shield has been criticized by some for not going far enough to protect privacy rights, especially given the ongoing concerns over government surveillance in the U.S., it has been seen as an improvement over the Safe Harbor Agreement. For example, the Privacy Shield provides EU citizens with several avenues for redress if their privacy rights are violated, including the creation of an ombudsperson role within the U.S. State Department.
Since its implementation, thousands of U.S. companies have self-certified under the Privacy Shield, including major tech companies like Google, Facebook, and Microsoft. However, the future of the agreement has been called into question in recent years, following a ruling by the European Court of Justice that invalidated the Safe Harbor Agreement in 2015.
In July 2020, the same court ruled that the Privacy Shield was also invalid, citing concerns over U.S. government surveillance practices. While this ruling was a blow to the agreement, it does not necessarily mean that the Privacy Shield is dead. The EU and the U.S. are currently in talks to negotiate a new data transfer agreement that would address the court`s concerns.
In the meantime, U.S. companies that rely on the transfer of personal data from the EU should continue to follow the Privacy Shield requirements, while also exploring alternative data transfer mechanisms, such as standard contractual clauses or binding corporate rules.
Overall, the EU-U.S. Privacy Shield Agreement is an important development in the ongoing effort to protect the privacy rights of EU citizens. While there are still concerns over its effectiveness, it represents a step forward in creating a more robust legal framework for transatlantic data transfers.