EU US Privacy Shield

Under EU laws, personal data can only be transferred to a country outside the European Economic Area (EEA) if that country provides an adequate level of data protection. The EU-US Privacy Shield provides a framework which allows such transfers from the EEA to the US under specific circumstances.
Make your Website privacy policy
Get started
Answer a few questions. We'll take care of the rest

The EU-US Privacy Shield scheme became operational on 1 August 2016 after the European Commission issued its formal decision that the Privacy Shield provides adequate protection to allow personal data to be transferred to the United States.

The EU-US Privacy Shield imposes stronger obligations on US companies to protect Europeans’ personal data. The Privacy Shield requires the US to monitor and enforce more robustly, and cooperate more with European Data Protection Authorities. It includes written commitments and assurance regarding access to data by public authorities.

The Privacy Shield allows EU citizen's personal data to be transferred from the EU to a company in the United States, provided that the company there processes (eg uses, stores and further transfers) personal data according to a strong set of data protection rules and safeguards.

Different tools, such as contractual clauses, binding corporate rules and the Privacy Shield, are available for companies wanting to transfer personal data from the EU to the US.

If the Privacy Shield is used, US companies must first sign up to this framework with the US Department of Commerce. The obligation applying to companies under the Privacy Shield are contained in the 'Privacy Principles'. The 'Privacy Principles' lay out a set of requirements governing participating organisations’ use and treatment of personal data received from the EU as well as the access and recourse mechanisms that participants must provide to individuals in the EU. The 'Privacy Principles' are:

  1. Notice
  2. Choice
  3. Accountability for onward transfer
  4. Security
  5. Data integrity and purpose limitation
  6. Access
  7. Recourse, enforcement and liability

The US Department of Commerce is responsible for managing and administering the Privacy Shield and ensuring that companies live up to their commitments. They ensure that companies' privacy policies are adequate, as well as removing any companies from the list which no longer meet the requirements.

In order to be able to certify, companies must have a privacy policy in line with the 'Privacy Principles'. They must renew their 'membership' to the Privacy Shield on an annual basis. If they do not, they can no longer receive and use personal data from the EU under that framework.

The EU-US Privacy Shield provides for:

  • strong data protection obligations on companies receiving personal data from the EU
  • safeguards on US government access to data
  • effective protection and redress for individuals
  • an annual joint review by EU and US to monitor the correct application of the arrangement

American companies that want to handle the personal data of EU citizens must register on the Privacy Shield List and self-certify that they meet all the requirements including the minimum data protection standards. This must be repeated annually.

European citizens who believe their data has been misused by a US company can take the following steps:

  • Lodge a complaint with the company
  • Take the complaint to the relevant US authority (eg Department of Commerce or Federal Trade Commission)
  • Use Alternative Dispute Resolution (ADR) which should be provided free of charge by the company
  • Appeal to the Privacy Shield Panel

Businesses in the UK should not transfer any personal data to a US company unless that company is on the Privacy Shield List or another safeguard is in place; otherwise this could potentially be a breach of the General Data Protection Regulation (GDPR) and/or the Data Protection Act 2018.

All American businesses which handle the personal data of EU citizens should be covered by the EU-US Privacy Shield or binding corporate rules. Furthermore, any UK businesses which use data processing facilities based in the US - including American hosting or cloud service providers - must ensure that such companies are registered on the Privacy Shield List.

Make your Website privacy policy
Get started
Answer a few questions. We'll take care of the rest