Privacy Shield Overview & Tentative Take-Up


A little over a month into Privacy Shield, and the data transfer agreement now protects 200 business entities, but there is still some legal uncertainty surrounding the agreement.

European Courts in individual companies may challenge the new Privacy Shield laws, which ultimately go to the EU Court of Justice.

Most Data Protection Authority (DPAs) are operating under the notion that they should give the new laws a full year to work out any bugs before filing any complaints (link to last Privacy Shield post), but in some places like Hamburg, Germany, DPAs are already planning to challenge the new laws.

The decision to replace EU-US Safe Harbor Framework with Privacy Shield was heavily informed by the Edward Snowden revelations regarding the US government’s bulk data collection practices. (Keep an eye out for next week’s review of Snowden and the live Q&A after the movie premiere.)

Privacy Shield applies to data transfers from the EU to the US, and for organizations that are regulated by the FTC or DoT. Financial organizations, for example, aren’t directly affected by Privacy Shield because they aren’t regulated by those governing bodies.

Many global organizations need to implement the Privacy Shield requirements indirectly, because US organizations that self-certify push the Privacy Shield obligations onto their vendors via contractual terms. Privacy Shield indirectly applies to any organization with which a Privacy Shield-compliant company transfers personal data, to some extent.

Self-certifying for Privacy Shield will ensure lawful overseas transfers in the short-term, however, US companies are advised to continue considering and implementing other compliance solutions to legitimize transatlantic data transfers for the time being.