Jei - Jus e Internet

Il primo organo di informazione giuridica su internet per gli operatori del diritto - in linea dal 1996

International data transfers: the eu-us privacy shield

Scritto da Alice Piazza

" When it comes to privacy and accountability, people always demand the former for themselves and the latter for everyone else". - David Brin


In a world where, due to the unrestrained technologies’ development, every action we take can be observed and recorded, and even sensors track our smartphones as we walk from a place to another, the protection of privacy in relation to the transfers and the use of personal data, made both for commercial and governmental aims, represents one of the most hot-debated issues. As technology gets more and more sophisticated, citizens demand legal rights over how their information is collected and used. Many transactions involve the acquirement and use of personal data, for instance the name, the phone number, national insurance, credit card number or any other kind of information able to identify a person. This phenomenon happens when anyone buys goods or services online for example, when people use social media or cloud storage services and so on. Just to highlight how sometimes this question is taken so naively by consumers, I can make reference to a recent study published by the Harvard Law and Policy Review, which showed that consumers think that the mere existence of a privacy policy on a site means that their personal information is protected. All considered, it’s up to governments to provide an actual policy to prevent an illegal use of citizens’ personal data and allocate sanctions to punish possible infringements, at a national level and, chiefly, when data are transferred among different States, which do not grant an equivalent level of legal protection. It is in the light of the Edward Snowden’s disclosures, in 2013, that the questions related to the international data transfers have become even more complex, especially if we consider that the legal systems involved there, namely the US and the EU, testify strong cultural traditions and different legislative approaches towards the protection of personal data. In this context, the Privacy Shied represent only the last attempt to provide a common legal framework, able to grant an adequate level of protection when data are transferred from the EU member States to the US.


All the problems related to the issue of international data transfers between the EU and the US follow from the fact that the legal systems into consideration are characterized by clashing cultural and normative approaches when dealing with the use of personal data. As a matter of fact, up to now the EU member States have always agreed on common regulations which seem stricter than the ones in force in the US. Governments reports aside, actually Americans have not by now adopted the opinion that privacy is unimportant. On the contrary, just as Justin Brookman, the Director of Consumer Privacy at the center for Democracy and Technology in the United States reports, “many people feel a nagging sense that their privacy is increasingly being violated and consumers feel that this means more needs to be done to ensure personal privacy, not less”.

The US data protection regime is ad hoc, decentralized and narrowly tailored, placing its emphasis on market constraints rather than on government intervention. The right to privacy in the United States centers on a limited amount of specific areas, where protection is deemed necessary and is based on multiple instruments, that is the Constitution, federal and State legislation and market self-regulation. At a judicial level, the Supreme Court, after having first addressed the issue of informational privacy in the case Whalen v. Roe, has always tried to narrowly restrict the right to privacy, stating it only exists when a citizen has “a reasonable expectation to privacy” and, once the information is disclosed to a third party, this expectation no longer exists. Moreover, under US law, it results that the private sector is subject to significantly less regulation over the use of personal information than the public sector. The primary federal piece of legislation is the 1974 Privacy Act, which establishes standards for the collection, maintenance and dissemination of personal data. However, it’s effectiveness has been limited by the absence of a centralized enforcement mechanism to ensure that the supervisory duties on privacy issues retained by some federal agencies are fulfilled. Then, mostly every State has enacted its own industry-specific privacy legislation, resulting in proper little uniformity among fifty different jurisdictions with distinct regimes. This legal background leaves space to companies self-regulation schemes which rely on commercial norms and individual company policies. The reliance on market as a regulator for data security supports the statement on the US preference for a “laissez fair” government and on the power of corporations.

In contrast, the EU approach is based on a consolidated and enduring conception of the protection of privacy. The leading legislation on these matters is represented by the Directive 95/46 EC , which has unified the privacy policies of EU Member States to ensure an unlimited flow of data among Countries. Except for instances involving criminal law and national security, the Directive covers all processing of personal data without limitation by business or other field of use, creating strict ex-ante controls on those subjects who detain the role of controllers. Data can only be gathered legally if obeying transparency, legitimate purpose and proportionality requirements. On the other hand, individuals are granted the right of access to get copies of the data about them, the right to have it corrected and to receive confirmation of the scopes of its processing. Furthermore, under the Directive proper enforcement rights are provided, which involve the States primarily. On top of offering a judicial remedy for data privacy infringements, including a right to receive damages, Member States must designate a national data protection authority ( DPA) tasked with supervising the application of data protection law within their respective Countries.


Due to the fact that the Directive 95/46 EC has a transnational application, the divergent approaches of the United States and the EU became problematic as data was transferred between the two. In particular, the problems originated from the general rules under the Directive, which stated that personal data could only be exported by a company established in the EU to third Countries that provide an adequate level of protection for such data, unless certain conditions have been met. Actually, under article 25(6), an “adequacy decision” from the European Commission was required, to certify that certain legislation is adequate when assessed against the standard set by EU data protection law, giving particular consideration to the nature of the data, the purpose and the duration of its processing, the rules in force in the third Country into question and the professional and the secure measure which are complied with in that Country. However, this “adequacy requirement” is subject to some derogations, listed in Article 26 of the Directive, including both consent and controller-enforced safeguards, such as contractual clauses or binding corporate rules.

It’s undeniable that the extraterritorial effect of art 25 of the European Directive has led the EU itself to exercise a strong market power and influence to encourage third Countries to align closer with EU data protections in order to obtain the right to use data coming from the Member States. Adequacy decisions by the Commission have turned to be a sort of barrier to entry to the EU market and to upgrade privacy protections in other Countries.

Against this background, it was evident that the US would not meet the requirements needed. To overcome the risk of consistent losses- in terms of billions of dollars- to both Countries, considering the size of the EU and the US markets and an eventual trade war, in 1998 the US Department of Commerce and the European Commission started negotiations which led to the adoption of the so called “Safe Harbor Privacy Principles”, which, at least until the judgment of the ECJ, have represented an attempt to accomplish the protection demands of EU Member States without requiring a sweeping change to the United States’ self-regulated ad hoc approach. The “safeness” would have originated from the system of self-regulation and self-certification that US –established companies wishing to transfer data to the US had to comply with.

In the first place, it involved big companies which deal with clients’ data management like Google and Facebook, but not only. It has been estimated that about 4.500 american companies made use of the Safe Harbor agreement. In order to satisfy the EU standards against the revelation and the improper use of personal data, the Department of Commerce required companies to comply with the seven principles relished in the agreement, namely: (1) the individual notice that data collection is occurring and how long the data will be used; (2) individuals must be provided a choice to opt out of collection of data; (3) companies may only transfer data to other companies that comply with these rules; (4) companies must provide reasonable protection of the data; (5) data must be relevant for the purposes of the collection and use; (6) data subjects must be able to access the information and correct inaccurate data; (7) there must be means for enforcement of these rules. It’s relevant to highlight that the Safe Harbor had become effective into the European legal system through an adequacy decision adopted by the Commission, as required by Article 25(6) of the Directive.

How can we place the Privacy Shield mechanism in this context?. To answer this question, It’s necessary to go back to 2013, when the revelations by Edward Snowden regarding the expansive data surveillance activities of the NSA raised serious issues on personal data protections both in the United Sates, and abroad. In the light of these events and also after the Commissions thirteen recommendations in which it pinpointed a series of shortcomings of the agreement into consideration, the renowned “Schrems case” took place and led to the invalidation of the Safe Harbor. On June 2013 Max Schrems, an Austrian lawyer, author and privacy activist, initiated a complaint with the Irish Data Protection Commissioner claiming that Facebook Ireland had mishandled his data, even though it was self-certified under Safe Harbor. He argued that “ there was not meaningful protection in US law or practice” in this transnational transfer of data. Since the Irish Authority had judged itself to be incompetent to overrule, the plaintiff brought an action before the Irish High Court, which recognized Schrems’ legal standing and that referred the case to the ECJ to adjudicate whether Facebook’s actions were compatible with the Safe Harbor framework and whether this system was functioning as it was projected and built. On October 6, 2015 the ECJ found that the Commission’s Safe Harbor decision was not valid due to the fact that it did not state the United States were ensuring an adequate level of protection by reason of its domestic law or its international commitments, which was actually necessary for the Commission to have validly concluded that Safe Harbor was adequate under Article 25 (6) of the Directive. Secondly, the Commission was recognized to be liable as it had overstepped its bounds in denying Data Protection Commissioner’ s complete independence, by enforcing the data protection regime following a claim by an individual.


Following the ECJ’s invalidation of the Safe Harbor agreement, companies were left struggling to develop a new legal framework for transferring European Data to the United States without violating EU laws. In substance, the so called Working Party- which is an organ, established by Article 29 of the Directive, responsible for assessing on the adequacy of third Countries protections and made up of a representative from each EU Member State’s Data Protection Authority, the European Data Protection Supervisor and the European Commission’s Data Protection Officer- gave the parties three months of time to address their concerns and conclude an alternative agreement. It also gave notice of the criticisms raised by the ECJ on the lack of judicial redress granted for the EU citizens and on the huge surveillance programs that involved the US. After plentiful sessions of negotiations, on February 2, 2016 the US Department of Commerce and the European Commission announced the conclusion of a new compromise for transatlantic data flows: the so called Privacy Shield. It provides a set of enforceable protections for the personal data of EU citizens. Among the others, transparency regarding how participating companies use personal data, strong US Governments oversight activities, an increased cooperation with the European data protection Authorities, and new instruments of redress to punish the infringements.

A relevant result, at least according to the European Data Protection Supervisor, Giovanni Buttarelli, who, in his opinion on the Privacy Shield, has not forgotten to address also some concerns, as he added that “ the Privacy Shield as it stands is not robust enough to withstand future legal scrutiny before the Court” and that “ significant improvements were needed in order for the Commission to adopt an adequacy decision, to respect the essence of key data protection principles with particular regard to necessity, proportionality and redress mechanism”. Then, on July 12,2016, the Commission effectively adopted the adequacy decision on the new legal framework. But how does this mechanism work practically? .

At first, to join the Privacy Shield Mechanism, a US based company is required to self-certify to the Department of Commerce and publicly commit to meet the framework requirements. The certification will then be subject to review every year. Considering that the mechanism works on a voluntary basis, once a company has joined it, its commitments will be enforceable under US law. If anyone wants to know if a company in the US is part of the Privacy Shield, it’s possible to check it on the website of the Department of Commerce. 

In line with the Privacy Shield principles, the companies involved, after having been compelled to publish their privacy policy on their public website if they have one, must inform the clients they deal with about the types of data they are processing and the reasons why, if they will transfer it to third parties and why, and grant a right of access if required, also to check if the data transferred is materially different from the original one. In principle, a Privacy Shield company can use the personal data only for the purposes it was originally collected and for the time necessary for the planned operations. Having ensured that the data used is accurate, reliable, complete and up to date, companies established in the US could get the authorization from the client to use the data for a different aim only as long as it is related to the starting one or, at least, is not incompatible with it. Moreover, as noted, under certain conditions the Privacy Shield company may transfer data to a third party- another company for instance. Irrespective of its location, within or outside the US, the company that receives the data must ensure the same level of protection as guaranteed under the Privacy Shield framework. This requires a contract between the Privacy Shield company and the third party, setting out the conditions of use by that third party and its responsibilities to secure and protect the data. Stricter guidelines are provided when a third party is acting as an agent on behalf of the company. In this case, the Privacy Shield company can be held liable for the actions of the an agent that do not follow its obligation to preserve the data.

However, the most innovative aspect of the Privacy Shield scheme is represented by the redress mechanisms that have been granted to EU citizens in order to lodge a complaint and obtain remedies against possible infringements. Any citizen who considers that its data has been misused under the framework , will benefit from sever accessible and affordable dispute resolution mechanisms. In the first place, it’s possible to lodge a complaint directly by the company itself. Secondly, free of charge Alternative Dispute Resolution solutions are tendered. Individuals can also apply to their national Data Protection Authorities ,that will work with the federal Trade Commission to ensure that complaints by EU citizens would be investigated and resolved. At a last resort, another option consists of a binding arbitration mechanism. It’s important to highlight that a brand new, unusual in this area and independent redress structure has been set out, namely the Ombudsperson mechanism. The Privacy Shield Ombudsperson is a senior official of the US Department of State- independent from the US intelligence agencies- that can ensure that complaints are properly investigated and addressed in a timely manner. In complying with its duties, this organ works closely with and obtain information from other independent oversight and investigatory bodies, necessary for its response when it concerns the compatibility of surveillance with US law. These bodies are the responsible to oversee the various US intelligence agencies. The following link makes reference to an handy and effective resume of the main characteristics of the new Privacy Shield, provided by the Italian Privacy Protection Authority.

Actually, the US authorities have been compelled to exercise stricter supervisory operations in order to ensure that private companies do not infringe the principles provided by the Privacy Shield legal framework. A the same time, also governmental agencies have seen their power of use and scrutiny in the operations of EU citizens’ data management diminish . Perhaps this phenomenon, certified by the rules provided practically by the Privacy Shield, can be considered as a sort of reaction to the scandals that had involved the NSA during the previous years, and that had come to light after the Snowden revelations.


It’s undeniable that the Privacy Shield framework has been considered a step forward towards a more valuable protection of personal data of EU citizens. On the other hand, some criticisms have been raised since the changes enacted through this new legal instrument have not been regarded as sufficient to overcome the deficiencies of the Safe Harbor. One for all, I can mention the opinion of Max Schrems, who has voiced his frustration with the weakness of the political level in the European Commission that led to the “ laughable” proposal for the new data sharing agreement known as the Privacy Shield. He defined it as “a soft update” of the Safe Harbor, which “ does not address any of the material issues identified by the Court”. Through the following link you can learn more about his opinion, during an interview released on March 2, 2016. 

One of the main reasons for the invalidation of the Safe Harbor was the lack of access to judicial redress mechanisms. That’s why the European negotiators conditioned their Privacy Shield approval on the United States’ adoption of the Judicial Redress Act, able to extend the US Privacy Act of 1974 to European citizens. It was turned into law on February 24, 2016, when it was signed by President Obama. Now European citizens could seek remedies under the Privacy Act for the mishandling of personal information in criminal or terror investigations. Actually, with the inclusion of an amendment proposed by the Republicans, the extension of operation of the 1974 Privacy Act has been restricted, since its benefits apply only to Countries that the Attorney General claims they permit commercial data transfers with the US and do not materially impede national security interests. Even the ECJ has expressed some concerns about the current US ad hoc regulatory scheme, as it is generally less protective than the European one on the same issues and it contains many exceptions, in particular as regards law enforcement agencies and the CIA. Subsequently, there could be the risk that the ECJ would invalidate the new agreement for the same reasons it cut Safe Harbor.

An element that could influence an eventual ruling on the Privacy Shield adequacy decision is represented by the recent global terrorism events, which are shifting, in a certain sense, the priorities and the values of the Europeans Institutions. Historically, Europeans have not given national security exceptions favorable interpretations. On the contrary, during both Safe Harbor negotiations and Schrems judgment, the Commission has tried to limit the scope of the exception of national security, claiming it has to be necessary and proportionate. Nowadays, due to the recent terrorist attacks the European Countries are facing and perhaps going on to face, we may start to see a loosening of strict privacy regulations in the name of national security. I can only think about the fact that two of the more protective of individual privacy rights EU Member States have relaxed their domestic privacy legislation in the light of the terrorist attacks they have been subject to. In fact, as a response to the Charlie Hebdo attack in 2015, France’s Constitutional Council approved a surveillance law the following year that allows the government to monitor phone calls and e-mails of suspected terrorists without a prior authorization from a judge. It also calls for internet service providers to install “ black boxes” to analyze metadata and forces providers to render the data available to intelligence organizations. At the same time, after the recent terrorist events occurred in Germany, the Institutions have decided to enact new laws able to entrust the authorities to observe online data like e-mails, WhatsApp and Skype messages.

In this context, on January 25, 2017 the Trump administration injected a new level of uncertainty into to already fragile data flow agreement. Indeed, President Trump signed an executive order entitled “Enhancing Public Safety in the Interior of United States”, which directed agencies to exclude persons who are not US citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information. Even if the order seems to lie outside the scope of the Privacy Shield, as it deals with the way federal agencies store personally identifying information, it has led to some reactions by the European Institutions. In particular, Jan Philipp Albrecht, rapporteur of the European Parliament for the EU’s General Data Protection Regulation has expressed through Twitter his concerns proposing “ sanctions for the US for breaking EU-US umbrella agreement”. These facts testify how weak the current relationship is between the EU and the US over data privacy.

All considered, it’s hard to deny that the issue of protection against the misuse of personal data is not easily manageable. The market for privacy is far from mature, and sometimes it is still quite difficult for consumers to effectively control the collection and the distribution of their personal information. Notwithstanding that, during the years, some developments have been enacted. In order for privacy controls to improve over time consumers will need to keep themselves distant from self-help solutions and try to cooperate with the Institutions to elaborate better laws. In this perspective, the governments then should seek to find a balance between these protection demands coming from the citizens and other relevant interests, linked for example to national security and international relations. In this context, the Privacy Shield, despite all the deficiencies highlighted by some experts, represents an unsteady attempt to draw a common legal framework to regulate the transnational data flow. Actually, it should be given better political support. Ultimately, the ECJ will have the final say, as it could overrule on the adequacy decision that has incorporated the Privacy Shield into the European legal system and reveal if its structure is solid enough to resist its drawbacks.


Boehm. Franziska, " Assessing the New Instruments in EU-US Data Protection Law for Law Enforcement and Surveillance Purposes", 2 Eur. Data Prot. L. Rev. 178 2016.

Brookman. J, "Protecting Privacy in an Era of Weakening Regulation", 9 Harv. L. & Pol'y Rev. 355 2015.

Ciocchetti. C, " The Privacy Matrix", Journal of Technology Law and Policy, Vol 12, 245 2007.

Edwards. L, " Privacy, Security, and Data Protection in Smart Cities: a critical EU Law Perspective", 2 Eur. Data Prot. L. Rev. 28 2016.

Irion. Kristina, Yakovleva. S, " The best of Both Worlds: Free Trade in Services and EU law on Privacy and Data Protection", European Data Protection Law Review , Vol 2 2016.

Schrems. M, " The Privacy Shield is a soft Update of the Safe Harbor", 2 Eur. Data Prot. L. Rev. 148 2016.

Serpico. V, Landers. D, Terrill. D.A, "Making sense of U.S. State Data Privacy Law", 119 Banking L.J. 462 2002.