December 1, 2022

Volume XII, Number 335


November 30, 2022

Subscribe to Latest Legal News and Analysis

November 29, 2022

Subscribe to Latest Legal News and Analysis

November 28, 2022

Subscribe to Latest Legal News and Analysis

To and From the EU with Love: Benefits and Implications of Self-Certifying Under the EU-US Privacy Shield Framework

On January 12, 2016, the European Commission enacted a privacy shield framework for international data transfers by private companies from Europe to the United States (“US”) (the “Privacy Shield” or “the framework”).  The framework was developed jointly by the US Department of Commerce and the European Commission.[1]  The Privacy Shield became effective for enrollment on August 1, 2016, and since then more than 1,500 companies have joined the framework.[2]  In the US, the Privacy Shield is governed by the International Trade Administration (“ITA”) within the Department of Commerce and enforced by the Federal Trade Commission (“FTC”).[3]  To join the Privacy Shield, a company must self-certify and publicly commit to various privacy requirements with regards to processing personal information from European data subjects.  Joining the Privacy Shield is voluntary, but once a company chooses to participate, the commitment is fully enforceable under US law.  The Privacy Shield acts as an additional layer of security over Model Contract Clauses (“MCCs”), the main alternative method for international data transfers.

Personal Data processed in the European Union and European Economic Area (“EU”) is more broadly governed by the Data Protection Directive 95/46/ EC (“DPD 95/46/EC” or “the Directive”).[4]  This directive operates in conjunction with member state and local data protection laws.  On May 25, 2018, the DPD 95/46/EC will be replaced by the General Data Protection Regulation 2016/679 (“GDPR 2016/679”).[5] 

This article investigates the regulatory and legal transfer mechanisms under the EU-US Privacy Shield Framework, specifically: (I) History of EU-U.S. Data Transfer Protection Prior to Privacy Shield; (II) Challenges to Model Contract Clauses; (III) Benefits of Joining the Privacy Shield; and (IV) The President Trump Effect.



  1. EU Data Protection History

The EU and US have significant differences in how they handle data privacy.  Originally, in 1981, data protection in Europe was regulated by the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.[6]  This act required every signatory country to enact their own laws regulating the transfer of data.[7]  The European Commission realized that this convention slowed data flows because each country had its own specific regulations.[8]  The DPD 95/46/EC was passed in October 1995, which created a comprehensive EU framework governing the transfer of data.[9]  The Directive laid out the basis on how public and private organization could store and transmit data, leaving each individual EU member state to implement and enforce the Directive through their laws.[10]  For example, Germany uses both the Bundesdatenschutzgesetz as well as the DPD 95/46/EC to govern data transfers.  The DPD 95/46/EC and each member state data privacy law is enforced by national regulatory bodies known as Data Protection Agencies (“DPAs”).  The Directive also allows the European Commission to determine whether a country provides the “adequate level” of security.[11]  Adequate is determined by how the data is processed, where the data originated and where it is going, the laws and security measures of the country receiving the data, the type of data being transferred, and how long the data will be processed.[12] 

Under the Directive, each EU member state must establish their own DPAs that monitor all regulated organizations processing data.[13]  Individuals are also granted the opportunity to access, correct and “seek remedial” measures if they claim that their data has been handled incorrectly.[14] 

In the EU, personal data protection is a fundamental human right.[15]  Protection of personal data was codified in the Charter of Fundamental Rights of the European Union and became binding on all EU members in the 2007 Treaty of Lisbon.[16] 

  1. US Data Protection History

In contrast to the EU, the US does not have a single “overarching data privacy policy,” but rather a patchwork of privacy and data security regulations.[17]  There are a few statutes that govern data collected or maintained by the federal government, such as the U.S. Privacy Act of 1974 and the Communications Privacy Act of 1986.[18]  Many of the laws governing data privacy are industry specific.  For example, the Health Insurance Portability Accountability Act, governs the transmission of protected health information by “covered entities” and “business associates” (e.g., healthcare providers and their subcontractors).[19]  

  1. The Beginning and End of Safe Harbor

Beginning in 2000, data transfers between the EU and US were governed by the “Safe Harbor” Agreement, which was developed by the Department of Commerce.[20]  The Safe Harbor was generated around seven principles: (1) Notice, (2) Choice, (3) Onward Transfer, (4) Security, (5) Data Integrity, (6) Access, and (7) Enforcement, but it was possible to waive these principles for national security and law enforcement.[21]  Any company that was regulated by the FTC or the Department of Transportation could self-certify under the Safe Harbor, and when it was active, approximately 4,500 companies became certified.[22] 

The Safe Harbor was ultimately invalidated on October 6, 2015 by the EU Court of Justice’s (“CJEU”) ruling in Schrems v. Data Commissioner.[23]  The suit arose over the Plaintiff’s concern with Facebook transferring his personal data from EU servers based in Ireland to servers in the US, on the heels of Edward Snowden’s whistle blowing revelations about US national surveillance.[24]  Although the Plaintiff’s claim for damages was dismissed, the CJEU invalidated the Safe Harbor in that decision.  The CJEU concluded that “DPAs must be able to examine, with complete independence, any claim concerning the protection of a person’s rights and freedoms in regard to the processing of personal data relating to him.”[25]  The Safe Harbor became invalid per Article 25 of the DPD, which requires the European Commission to examine the domestic laws of a third-party country prior to determining their data transfer practices as being adequate.[26] 


Following the revocation of the Safe Harbor, companies continued to transfer data between the EU and third party countries legally through MCCs (also known as Standard Contractual Clauses).[27]  MCCs allow for the transfer of data to a third-party country that is not deemed to provide adequate protection to the data.[28]  Model Contract Clauses became the primary means of transferring data between EU and US after the invalidation of Safe Harbor and before the enactment of Privacy Shield. 

Before a company can take part in an MCC or any other data transfer agreement they must determine whether they are acting as a data controller or a data processor for a particular data transfer.[29]  The DPD 95/46/EC requires that data controllers sign contracts known as data processing agreements with any entity with whom they transfer data, either domestically or internationally.[30]  MCCs are typically included as part of the data processing agreement as an appendix. 

There is no uniform definition of data controllers and data processors under the various European privacy regulations, which can lead to ambiguity in how companies should be labeled in data processing agreements.  However, in general, a data controller is considered any company that dictates how a third-party will use the data.[31]  The third party manipulating the data on the controller’s orders is generally known as a data processor.  Sometimes a company can be act as both a controller and a processor for a given data transfer.

There are three sets of contractual clauses, two different controller-to-controller clauses, and one controller-to-processor clause.  The benefit of MCCs is that they are pre-approved by EU DPAs and quick to implement.[32]  MCCs permit data transfers from the EU to any jurisdiction, whereas the Safe Harbor was only approved for EU-US transfers.[33]

In May 2016, Max Schrems, the same lawyer who invalidated Safe Harbor, filed suit in Ireland against Facebook over the use of MCCs.[34]  Certified Information Privacy Processionals of Europe (“CIPP/E”) believe that the Privacy Shield provides greater protection.[35]  Schrem’s goal is to have the case moved from the Ireland High Court to the CJEU invalidating MCCs throughout the EU.[36]  The alternative to MCCs is binding corporate rules (“BCRs”), though stronger than MCCs, they are not practical or cost effective for most companies.[37]

The impact of the case would not be limited to Facebook.  The holding could determine the fate of all companies using MCCs to transfer data between the EU and US.  The legal challenge is based upon a similar argument made in the Safe Harbor case.  Namely, that MCCs do not protect European data from mass surveillance by US intelligence agencies.  In particular, the Irish Data Protection Commission believes there is no legal remedy available to EU citizens whose data may be “accessed and processed by US agencies in the pursuit of national security.[38]  The Privacy Shield allows EU citizens to seek judicial redress through the Judicial Redress Act.[39]  The case challenging MCCs went to trial on February 7, 2017, and a decision has yet to be reached as of the publishing of this paper.[40] 


The Privacy Shield incorporates many concepts from the Safe Harbor, including the following: (1) Notice; (2) Choice; (3) Accountability for Onward Transfer; (4) Security; (5) Data Integrity and Purpose Limitation; (6) Access; and (7) Recourse, Enforcement, and Liability.[41]  However, the Privacy Shield goes a step further in judicial redress protections by requiring a right to arbitration, disclosure to public authority, and ensuring that third-party companies receiving personal data provide the same level of protection as required by the Privacy Shield Principles.[42] 

The self-certification process is relatively straightforward; a company must update their privacy policy with fourteen points that adhere to the Privacy Shield Principles and submit a letter to the Department of Commerce outlining their intent to follow the Principles.[43]  Once certified the process for maintaining Privacy Shield compliance is “rigorous” because it requires annual re-certification and companies must constantly ensure that they are handling data pursuant to the Shield Principles as well as evaluate their handling of the information.[44]  Pricing for joining the Privacy Shield is based on a company’s annual income, and this certification fee is used to fund the entire framework.[45] 

Although US companies transferring data under MCCs are currently under no legal obligation to join the Privacy Shield, joining may significantly increase their marketability as compliance-focused companies.  A disadvantage to joining the Privacy Shield is that companies must hold themselves to a higher legal standard and they then become subject to sanctions for violating Privacy Shield standards.  If an organization chooses to join, the “principles apply immediately upon certification.”[46]  Furthermore, if a company eventually decides to leave the Privacy Shield, any data received while a Privacy Shield member must continue to comply with all regulatory requirements indefinitely.[47]  

The Privacy Shield is not without detractors within the EU.  Specifically, Max Schrems, who led the legal charge against both Safe Harbor and MCCs, believes that the Privacy Shield is no more than “a little upgrade.”[48]  Schrems is an Austrian lawyer and privacy activist who became aware of the data transfer implications between the EU and US after Edward Snowden infamously released classified data collected by the National Security Agency.[49]  During the vote to enact the Privacy Shield, only four countries abstained from the vote for the framework, which suggests the influence of the Privacy Shield’s detractors is relatively minimal.[50]  The detractors primary argument is that for there to be a comprehensive data transfer system between the EU and US, the US must overhaul its entire data privacy framework.[51]  Schrems seems likely to challenge the Privacy Shield in the future, pointing to the lack of redress options available.[52] 


President Trump’s arrival in the White House has brought a series of executive orders that have created uncertainty surrounding the long-term viability of the Privacy Shield.  One such order requires government agencies to exclude the personal data of non-US Citizens from the protections of the Privacy Act (1974).[53]  The Privacy Act protects the personal information of individuals held by federal agencies in the US whereas Trump’s executive order removes this protection for non-US citizens living in the United States.[54]  

Trump has also spoken out against international trade agreements and he has threatened to overturn all executive orders issued by President Obama.[55]  This is concerning because the Privacy Shield became effective through a series of Executive orders and Presidential Directives, specifically Directive 28.[56]  If this directive is overturned, the Privacy Shield would likely collapse.[57] 

Fortunately, the European Commission recently issued a statement reassuring the public that the Privacy Shield is still enforceable for the time being (based upon a technical argument).[58]  The European Commission argued that Trump’s executive order does not directly impact the Privacy Shield, because the Privacy Shield broadly protects data transferred by private entities, whereas the Privacy Act only covers the records maintained by government agencies.[59]  Although the Privacy Shield is currently enforceable, Trump’s foreign policy agenda does create legal uncertainty for EU regulators and policymakers, which ultimately increases the risk associated with all international data transfers between the EU and US.[60]


For the foreseeable future, there remains uncertainty surrounding the Privacy Shield’s impact on international data transfers.  The Privacy Shield is due for its first annual review this summer, which will likely help determine its long-term viability.  In joining the Privacy Shield, companies that transfer data through MCCs gain an extra layer of legal security.  But the major drawback remains that companies are obligating themselves to comply with additional regulatory obligations.

If Privacy Shield and MCCs are both invalidated, there may be no other choice for companies, but to pursue BCRs.  It is unlikely that both MCCs and Privacy Shield will be deemed invalid and BCRs are not practical for most companies.  Adding to this uncertainty is the unpredictability of President Trump, while he has never expressly stated that he has a problem with data transfer security between companies, he could aggressively pursue this under his larger concern with national security.  Regardless of the potential invalidation of MCCs, companies should actively pursue self-certifying under the Privacy Shield because it guarantees them an additional layer or security and may increase their marketability by showing that they adhere to a strict data transfer mechanism.

[1] See generally European Commission – Press Release, European Commission launches EU-U.S. Privacy Shield: stronger protection for transatlantic data flows, (last visited Feb. 28, 2017) (explaining reasons for European Commission adoption of EU-US Privacy Shield).  See also (last visited Feb. 28, 2017) (explaining adequacy of EU-US Privacy Shield).  Fact Sheet (last visited Feb. 28, 2017).  See European Commission, EU-U.S. Privacy Shield: Frequently Asked Questions, What is an adequacy decision, (last visited Feb. 28, 2017) (defining adequacy decision).  An adequacy decision is “a decision adopted by the European Commission, which requires that a non-EU country ensure an adequate level of protection of personal data by reason of its domestic law and international commitments.”  Id.  See generally Privacy Shield, Privacy Shield Framework (last visited Feb. 28, 2017) (explaining Privacy Shield).  See also EU-U.S. Privacy Shield, European Commission (last visited Feb. 28, 2017) (detailing elements of Privacy Shield)

[2] See The Privacy Shield: September 30, 2016, Deadline for Early Self Certification Offers Compliance Opportunity and Risk, McDermott, Will & Emery (last visited Feb. 28, 2017) (detailing effective date of Privacy Shield).

[3] See International Trade Administration, About the International Trade Administration, Overview, (last visited Feb. 28, 2017) (explaining purpose of International Trade Administration).  “The [ITA] strengthens the competitiveness of US industry, promotes trade and investment, and ensures fair trade through the rigorous enforcement of our trade laws and agreements.  ITA works to improve the global business environment and helps US organizations compete at home and abroad.” Id.

[4] See DPD 95/46/EC, (last visited Feb. 28, 2017) (detailing EU data privacy law).

[5] See EU Regulation 2016/679 (last visited Feb. 28, 2017) (detailing EU data privacy law as of 2018). 

[6] See Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, Council of Europe 108 European Treaty Series, (last visited Feb. 28, 2017) (detailing that data regulation was up to each individual country.

[7] See Id.

[8] See Id.

[9] See Martin A. Weiss & Kristin Archick, U.S.-EU Data Privacy: From Safe Harbor to Privacy Shield, Congressional Res. Serv. 1 (last visited Feb. 28, 2017) (explaining history of data transfers between EU-US).

[10] See Id. at 2-3.  Each member state had three years to adopt the directive.  Id. 

[11] See Id.

[12] See Id.

[13] See Weiss, supra note 9 at 3.

[14] See Id.

[15] See Id. at 2.

[16] See Id.  See generally Charter of Fundamental Rights of the European Union, Official J. of the European Communities (last visited Feb. 28, 2017) (explaining EU citizen rights to data protection); Treaty of Lisbon, 50 Off. J. of the European Communities 1 (last visited Feb. 28, 2017) (detailing codification of Charter of Fundamental Rights of the European Union). 

[17] See Weiss, supra note 9 at 2.

[18] See Id. at 4.

[19] See Id.  See also 45 C.F.R. 160.103 (defining Covered entity and Business Associate).

[20] See Kelly Clark, The EU Safe Harbor Agreement is Dead, Here’s What To Do About it, Forbes (last visited Feb. 28, 2017) (detailing European Court of Justice’s order ruling Safe Harbor Invalid).  See also Ernst-Oliver Wilhelm, A Brief History of Safe Harbor, IAPP (last visited Feb. 28, 2017) (outlining history of data protection since Safe Harbor).  Before the Safe Harbor, countries transferred data outside the EU via MCCs.  Id.

[21] See Weiss, supra note 9 at 5 (explaining structure of Safe Harbor).

[22] See Id.

[23] See The Court of Justice declares that the Commission’s US Safe Harbour Decision is invalid, Court of Justice of the European Union Press Release (October 6, 2015) (last visited Feb. 28, 2017) (declaring invalidation of EU-US Safe Harbor Agreement).  See also Maximillian Schrems v. Data Protection Commission, 2015 E.C.J 362/14 (last visited Feb. 28, 2017) (holding EU-US Safe Harbor invalid).

[24] See Weiss, supra note 9 at 6-7 (explaining CJEUs holding invalidating Safe Harbor). 

[25] See Id.

[26] See Id.

[27] See Jedidiah Bracy, Model clauses in jeopardy with Irish DPA referral to CJEU, IAPP (last visited Feb. 28, 2017) (detailing case against MCCs).

[28] See Melinda L. McLellan & William W. Hellmuth, Safe Harbor is Dead, Long Live Standard Contractual Clauses Data Privacy Monitor (last visited Feb. 28, 2017) (explaining benefits of MCCs).  See also Article 26(2) (last visited Feb. 28, 2017) (explaining adequacy determination).

[29] See Id.

[30] See DPD 95/46/EC, supra note 4 at Article 17(3) (stating requirement for data processing agreements).  See also EU Regulation 2016/679, supra note 5.  Data processing agreements will be governed by Article 28(1)-(3) in the GDPR.

[31] See Id.

[32] See Id.  See also (explaining role of European Data Protection Supervisor); Model Contract Clauses – International transfers of personal data, Information Commissioner’s Off. (last visited Feb. 28, 2017) (explaining different model contract clauses).

[33] See Id.

[34] See generally Bracy, supra note 27.  “All data protection lawyers knew that model contracts were a shaky thing, but it was so far the easiest and quickest solution that they came up with.”  Id. 

[35] See Id.

[36] See Id.  See also Binding Corporate Rules, Alan & Overy 2, 4 (last visited Feb. 28, 2017) (defining BCRs).  BCRs “are a set of binding rules that can be put in place to allow multinational groups to transfer personal data that they control from the EEA to their affiliates outside the EEA in compliance with national laws implementing the EU directive.”  Id.  See also Bracy, supra note 27 (explaining alternative to MCCs).  BCRs (also known as “individual consent”) are more expensive, take time to implement, but they are “the gold standard of global privacy.”  Id.

[37] See Id.

[38] See Quentin Archer, My thoughts on the Trump presidency and trans-border data flows, IAPP – Privacy Perspectives (last visited Feb. 28, 2017) (explaining potential effect President Trump may have on international data transfers).

[39] Natasha Lomas, Legal challenge to Facebook EU-US data transfer mechanism kicks off in Ireland, Tech Crunch (last visited Feb. 28, 2017).  See also Update on Litigation Involving Facebook and Maximilian Schrems, Data Protection Commissioner (last visited Feb. 28, 2017) (explaining progression of litigation of model contract clauses). 

[40] See Lomas, supra note 39.

[41] See Requirements of Participation, Privacy Shield Framework (last visited Feb. 28, 2017) (outlining Privacy Shield Principles).

[42] See Id.

[43] See How to Join Privacy Shield (Part 1), Privacy Shield Framework (last visited Feb. 28, 2017) (identifying steps 1-2 of how to join Privacy Shield).  A company must: “(1) Confirm [Their] Organization’s Eligibility to Participate in Privacy Shield; and (2) Develop a Privacy Shield-Compliant Privacy Policy.”  Id.  See also How to Join Privacy Shield (Part 2) (last visited Feb. 28, 2017) (identifying steps 3-7 of how to join Privacy Shield).  A company must: “(3) Identify Your Organizations Independent Recourse Mechanism; (4) Ensure that Your Organization’s Verification Mechanism is in Place; (5) Designate a Contact in Your Organization Regarding Privacy Shield; (6) Review the Information to Self-Certify; and (7) Submit Your Organization’s Self-Certification to the Department of Commerce.”  Id. 

[44] Kim Roberts, The Privacy Shield 5 Months Later, Law 360 (last visited Feb. 28, 2017) (explaining progression of Privacy Shield adoption).  See also McLellan, supra note 28.  The Privacy Shield is particularly useful for companies that conduct business in Germany, because the data protection authority feels that data protection regime in the US “does not provide the protection required for transfers of personal data from the EU.”  The German data protection authorities position paper stated, “‘[p]rivate bodies, which use Standard Contractual Clauses to transfer personal data to the US, now need to consider terminating the underlying standard contract with the data importer in the United States or suspending data transfers. In consistent application of the requirements explicated by the CJEU in its judgment, a data transfer on the basis of Standard Contractual Clauses to the US is no longer permitted.’”

[45] See Privacy Shield Overview Frequently Asked Questions, Privacy Shield Framework (last visited Feb. 28, 2017) (detailing annual price structure for self-certification under Privacy Shield).  This price is determined based on the organization’s annual revenue.  Id.  The annual fee is paid to the ITA and it helps to run the Privacy Shield.  Id.  More specifically, this fee supports the “administration and supervision of the Privacy Shield program and support the provision of Privacy Shield-related services, including education and outreach.  Id. 

[46] See Roberts, supra note 44.

[47] See Accountability for Onward Transfer, Privacy Shield Framework (last visited Feb. 28, 2017) (explaining third-party data processors held to same Privacy Shield protection requirements).

[48] See Id.

[49] See Tim Walker, Max Schrems: Austrian law graduate who became a champion of Facebook users, The Independent (last visited Feb. 28, 2017) (detailing background of Max Schrems).  Schrems first challenged Safe Harbor when he was still a law student.  Id. 

[50] See Accountability for Onward Transfer, supra note 47.  See also Jedidiah Bracy, EU Member States approve Privacy Shield, IAPP (last visited Feb. 28, 2017) (detailing which countries abstained from Privacy Shield vote).  The four countries that abstained from the vote were Austria, Croatia, Slovenia, and Bulgaria.  Id.  See generally Weiss, supra note 9.  The EU is made up of twenty-eight states, which include: Austria; Belgium; Bulgaria; Croatia; Cyprus; the Czech Republic (now Czechia); Denmark; Estonia; Finland; France; Germany; Greece; Hungary; Ireland; Italy; Latvia; Lithuania; Luxembourg; Malta; the Netherlands; Portugal; Romania; Slovakia; Slovenia; Spain; Sweden; and the United Kingdom.

[51] See Accountability for Onward Transfer, supra note 47.

[52] See Lomas, supra note 39.  See also Sam Pfeifle Privacy Shield faces skepticism in the marketplace, but standard contractual clauses pose the biggest risk for market upheaval, IAPP (last visited Feb. 28, 2017) (explaining uphill battle still to go for Privacy Shield).

[53] Natasha Lomas, Trump order strips privacy rights from non-U.S. citizens, could nix EU-US data flows, Tech Crunch (last visited Feb. 28, 2017) (explaining effect of executive order on EU-US data flows). This was signaled in a tweet by Jan Philipp Albrecht, the European Parliament reporter on data protection regulations.  Id. The details of the executive order were later clarified by the European Commission, stating that the Privacy Shield was not affected.

[54] See 5 U.S.C. ch. 5, § 552a.  See also Dena Feldman, Senate Committee Passes Judicial Redress Act, May Assist Safe Harbor Negotiations, The National Law Review (last visited Feb. 28, 2017) (explaining purpose of Judicial Redress Act). The Judicial Redress Act allows EU citizens and citizens of other countries to file suit in the US under the Privacy Act when they allege that the US government misused their data.  Id.  See European Parliament Approves EU-U.S. Umbrella Agreement, The National Law Review (last visited Feb 28, 2017) (detailing protections of EU-US Umbrella Agreements). This executive order does not affect the Privacy Shield. Id. The Privacy Shield does not rely on protections existing under the Privacy Act.  Id.  On the other hand, the new executive order does not invalidate the EU-US Umbrella Agreement, which allows for the exchange of personal data for law-enforcement.  Id.  See Questions and Answers on the EU-U.S. Data Protection “Umbrella Agreement,” European Commission (last visited Feb. 28, 2017) (explaining purpose of Umbrella Agreement).  Data transferred under the Umbrella Agreement can only be used for the purposes of law enforcement and it does not give non-US citizens the opportunity for redress in US courts.  Id. 

[55] See Archer, supra note 38.

[56] See Id.

[57] See Id.

[58] See Lomas, supra note 53.

[59] See Id.

[60] See Id.

© Colin M. DeskoNational Law Review, Volume VII, Number 83

About this Author

Colin M. Desko, Law Student, Suffolk University Law School
Law Student

Colin Desko is a second-year student at Suffolk University Law School where he is a staff member of the Suffolk Law Journal of Health and Biomedical Law and a member of the National Trial Team. He is pursuing a concentration if Health and Biomedical Law. Currently, he is interning for a healthcare tech start-up. He has an interest in healthcare data protection and compliance. He holds a Bachelor of Arts in International Relations and Asian Studies from Hobart College in Geneva, New York.