January 31, 2023

Volume XIII, Number 31


January 31, 2023

Subscribe to Latest Legal News and Analysis

January 30, 2023

Subscribe to Latest Legal News and Analysis

European Commission Releases Details of New EU-US Privacy Shield

The new EU-US Privacy Shield seeks to address the European Court of Justice’s criticisms in Schrems after the decision invalidated the Safe Harbor program for EU-US data transfers.

On February 29, the EU Commission released the Privacy Shield draft adequacy decision, four weeks after the initial announcement of the EU-US Privacy Shield, which has been put forth as the replacement for the invalidated Safe Harbor program that previously governed transfers of personal data between the European Union and the United States.[1] 

As expected, the European Commission has attempted to tighten up the information governance obligations for US companies that import personal data from Europe following the European Court of Justice's criticisms of the now invalid Safe Harbor program in Maximillian Schrems v. Data Protection Commissioner in October 2015.[2]

We provide an overview of the draft EU-US Privacy Shield and next steps for its adoption.

Privacy Shield List and Principles

  • Similar to the Safe Harbor, the US Department of Commerce will maintain and make available to the public an authoritative list of US organizations (Privacy Shield List) that have self-certified to the department and declared their commitment to adhere to the Privacy Shield Principles.

  • The EU-US Privacy Shield is premised upon the Privacy Shield Principles issued by the US Department of Commerce: notice, choice, accountability of onward transfers, data security, data integrity, purpose limitation, data access, recourse, enforcement, and liability. These principles are similar to the commitments of data importers under the Safe Harbor, but the necessary disclosures for each are much more detailed.

  • US data importers must commit to employ effective mechanisms for assuring compliance with the Privacy Shield Principles. In particular, they must

    • provide recourse for individuals who are the subjects of the data,

    • implement follow-up procedures for verifying that the attestations and assertions they have made about their privacy practices are true, and

    • remedy problems arising from a failure to comply with the Privacy Shield Principles.

  • A data importer commits to cooperate with the EU Data Protection Authorities (DPAs) by declaring in its Privacy Shield self-certification submission to the Department of Commerce that the organization adheres to the Privacy Shield Recourse, Enforcement and Liability Principles by committing to cooperate with the DPAs, including during investigations to resolve  complaints. Specifically, a data importer must agree that it “will comply with any advice given by the DPAs where the DPAs take the view that the organization needs to take specific action to comply with the Privacy Shield Principles, including remedial or compensatory measures for the benefit of individuals affected by any non-compliance with the Principles, and will provide the DPAs with written confirmation that such action has been taken.”

    It is unclear at this time whether this commitment goes beyond the cooperation commitments that existed under the Safe Harbor.

  • A data importer that self-certifies to join the Privacy Shield List to cover EU human resources data transferred in the context of the employment relationship must commit to cooperate with the DPAs with regard to such data.

  • While the Department of Commerce will publicly “name and shame” US companies that are not in compliance with the commitments under the EU-US Privacy Shield, the Federal Trade Commission (FTC) and other US agencies will likely enforce the obligations more vigorously than they did under Safe Harbor.

New Avenues for Legal Redress

Data subjects will be able to lodge complaints under the EU-US Privacy Shield with the companies and with the relevant DPA:

With the company

  • Complaints by the data subjects must be resolved by companies within 45 days.

  • To resolve a dispute, a no-cost Alternative Dispute Resolution solution will be available.

With a DPA

  • If the EU data subjects file a complaint with their national DPA, the DPA will then contact the FTC to ensure that unresolved complaints by EU citizens are investigated and resolved.

  • As a last resort, there will be an arbitration mechanism to help ensure an enforceable remedy. Moreover, data importers must commit to comply with advice from European DPAs. This is obligatory for companies handling human resource data.

Privacy Shield Ombudsperson Created for US State Department

A letter from US Secretary of State John Kerry describes the role of the new Privacy Shield Ombudsperson at the US State Department. The Privacy Shield Ombudsperson will work closely with “other United States Government officials, including appropriate independent oversight bodies, to ensure that completed requests are processed and resolved in accordance with applicable laws and policies.” It is intended that the ombudsperson will coordinate national security access to data transmitted from the European Union to the United States pursuant to the EU-US Privacy Shield, standard contractual clauses (SCCs), and binding corporate rules (BCRs).

Next Steps

The adoption process will likely take several weeks, if not months, and the EU Parliament will play an active role in the process. Next steps will include the following:

  • An EU committee composed of representatives of the EU Member States (the College) will be consulted.

  • EU Data Protection Authorities (Article 29 Working Party) will give their opinion, before a final decision by the College.

  • The EU Commission will vote on the “adequacy” of the EU-US Privacy Shield.

The European Commission has, in conjunction with US authorities, attempted to address the potential data privacy breach issues arising in the context of US authorities accessing European personal data. This issue was a key aspect of the Schrems decision, and is the most likely basis for any future challenge to the validity of the EU-US Privacy Shield. The next step will likely be an opinion from the Article 29 Working Party on the Privacy Shield Principles.

[1] See “EU-US Privacy Shield to Replace Safe Harbor.”

[2] See “EJC Rules EU-US Safe Harbor Programme Is Invalid.”

Copyright © 2023 by Morgan, Lewis & Bockius LLP. All Rights Reserved.National Law Review, Volume VI, Number 62

About this Author

Dr. Axel Spies, Telecommunications and technology lawyer, Morgan Lewis
Special Legal Consultant

Dr. Axel Spies has advised clients for many years on various international issues, including licensing, competition, corporate issues, and new technologies such as cloud computing. He counsels on international data protection (EU General Data Protection Regulation), international data transfers (Privacy Shield), healthcare, technology licensing, e-discovery, and equity purchases. A member of the Sedona Conference on Electronic Discovery, Dr. Spies is frequently quoted in the media for his telecommunications and privacy knowledge.

Gregory Parks, privacy and cybersecurity lawyer, Morgan Lewis

Gregory T. Parks counsels and defends retail companies and other consumer facing clients in matters related to privacy and cybersecurity, class actions and Attorney General actions, consumer protection laws, loyalty and gift card programs, retail operations, payment mechanisms, product liability, waste management, shoplifting prevention, compliance, antitrust, and commercial disputes. If it is important to a retail company, Greg makes it his business to know it. He handles all phases of litigation, trial, and appeal work arising from these and other areas. Greg is the co...

Mark Krotoski, Litigation attorney, Morgan Lewis

Mark L. Krotoski represents and advises clients on antitrust cartel investigations; cybersecurity and privacy matters; trade secret, economic espionage, fraud, and foreign corrupt practices cases; and government investigations. With nearly 20 years of experience as a federal prosecutor and a leader in the US Department of Justice (DOJ), Mark provides clients with a unique blend of litigation and investigative experience. He has tried 20 cases to verdict and successfully argued appeals before the US Court of Appeals for the Ninth and Sixth Circuits.

Pulina Whitaker, Morgan Lewis, labor and employment lawyer

Pulina Whitaker’s practice encompasses both labor and employment matters as well as data privacy and cybersecurity. She manages employment and data privacy issues in sales and acquisitions, commercial outsourcings, and restructurings. Pulina provides day-to-day advisory support for multinationals on all employment issues, including the UK’s Modern Slavery Act and gender pay reporting requirements. She also advises on the full spectrum of data privacy issues, including preparing for the General Data Protection Regulation. Pulina has deep experience managing international...

Matthew Howse, Employment law attorney, Morgan Lewis

As practice group leader for Morgan Lewis’s labor and employment practice in London, Matthew Howse represents clients in the financial services, media, legal, and insurance industries in High Court and employment tribunal litigation. His experience includes employment law as well as privacy and cybersecurity law. In addition to litigating both contentious and noncontentious issues, Matthew provides strategic employment law advice and counsels clients on the employment law aspects of transactions.

44 (0)20 3201 5670