Ever since a European court invalidated the old Safe Harbor laws in 2015, the United States and European Union (“EU”) have been working to create a new system that would offer adequate protection for the collection, storage and use of EU citizens’ private information. It has been no easy battle, as both parties have their own approach and expectations when it comes to privacy.

However, the light at the end of the tunnel may finally be in sight. On February 29 of this year the European Commission released the EU-US Privacy Shield Framework. The new Privacy Shield agreement is design to enhance the protection of personal information in a multitude of ways; a handful of which include:

• Requiring more information be provided to users in relation to “Notice” – this includes a declaration by the corporation that they are participating in the Privacy Shield agreement and identification of an independent dispute resolution body that will handle relevant issues;
• Increasing protection of personal data transferred from a Privacy Shield co-operating organization to a third party. This includes a requirement that the organization take reasonable steps to ensure the third party processes and uses the personal information in a way that’s consistent with Privacy Shield;
• Privacy Shield organizations may only collect information that is specifically relevant to its intended use;
• Annual certification with the Department of Transportation or FTC (Federal Trade Commission) that the organization will continue to apply Privacy Shield principles to information collected if it leaves Privacy Shield and keeps the personal data;
• Requiring organizations respond as quickly as possible to complaints in regards to compliance with Privacy Shield principles; and
• Requiring Privacy Shield associated organizations to make public any compliance or assessment reports submitted to the FTC, which become subject to court orders based on non-compliance.

Annex I of Privacy Shield addresses arbitration claims. Under Privacy Shield, organizations are obligated to arbitrate claims against them in regards to the recourse, enforcement and liability principles. A complete list of the principles and what they entail can be found in Annex II of Privacy Shield.

EU citizens can pursue legal remedies through private means in the US court system. However, Privacy Shield participants must commit to binding arbitration at the request of any individual to address complaints not resolved by other recourse and enforcement mechanism made available under Privacy Shield. This is done so that all EU citizens have access to recourse mechanisms, as not everyone can afford to pursue challenges privately within the courts.

The binding arbitration option will apply to specific “residual” claims, and allow individuals to determine whether a Privacy Shield organization has violated obligations owed to them under the agreement and whether any of these violations continue to be completely, or partially un-remedied. Binding arbitration will not be available where there are exceptions to the principles or in regards to allegations of the adequacy of Privacy Shield itself.

Both the EU and the US are committed to making this new agreement work. If an individual submits a complaint to the data protection authorities (“DPA”) in the EU, the Department of Commerce is devoted to receiving, reviewing and undertaking every available effort to enable resolution of the complaint and respond to the DPA on the issue within 90 days of receiving it.

In mid-April the EU announced the completion of new local privacy laws. There is speculation that these new laws will cause increased challenges in implementing the newly agreed to Privacy Shield, particularly because the new EU policies impose incredibly strict and weighty judgments if a foreign corporation doesn’t comply. However, given the novelty of both of these policies it is too early to tell what the long-term ramifications will be.

There are many components to the EU-US Privacy Shield; here we provided a brief overview of the agreement with a focus on the arbitration elements. For more information on what Privacy Shield entails and what you need to do to prepare your organization for the EU market contact Revision Legal’s Internet Privacy attorneys through the form on this page or call 855-473-8474.

Why Privacy Shield Replaced Safe Harbor — and Why That History Matters

To understand Privacy Shield, you need to understand what came before it. The EU-US Safe Harbor framework, in place from 2000 to 2015, allowed US companies to self-certify that they met EU data protection standards, enabling them to receive personal data from EU residents. In October 2015, the Court of Justice of the European Union (CJEU) struck down Safe Harbor in Schrems v. Data Protection Commissioner (Case C-362/14), holding that the framework provided inadequate protection because US surveillance law — particularly Section 702 of FISA and Executive Order 12333 — allowed US government access to EU citizens’ data in ways incompatible with the EU Charter of Fundamental Rights.

The Schrems decision left approximately 4,000 US companies without a valid legal mechanism for transatlantic data transfers and forced a rapid renegotiation. Privacy Shield was the result — a more robust framework that added new obligations for US companies, new protections for EU individuals, and new oversight mechanisms intended to satisfy the CJEU’s concerns about US government access.

What US Companies Are Required to Do Under Privacy Shield

Self-certification under Privacy Shield is not a passive exercise. Companies must affirmatively commit to a comprehensive set of principles and implement practices that deliver on those commitments:

• Notice. Companies must publish a clear privacy policy that states their participation in Privacy Shield, identifies the types of personal data collected, describes the purposes for which it is used, and explains the individual rights available to EU data subjects — including the right to access, correct, and delete their data.
• Choice. For sensitive data categories — health information, racial or ethnic origin, political opinions, religious beliefs, trade union membership, and sexual life — companies must obtain affirmative opt-in consent before processing. For non-sensitive data shared with third parties, companies must provide a clear opt-out mechanism.
• Accountability for onward transfers. When a certified company transfers EU personal data to a third-party processor or sub-processor, it must enter into a contract that requires the third party to provide at least the same level of protection as Privacy Shield. If the third party mishandles the data, the original certified company remains liable to the EU data subject unless it can demonstrate it was not at fault.
• Security. Companies must implement reasonable and appropriate security measures to protect personal data from loss, misuse, unauthorized access, disclosure, alteration, and destruction.
• Data integrity and purpose limitation. Personal data must be limited to what is relevant for the purposes of processing and must not be processed in ways incompatible with those purposes.
• Access. EU individuals have the right to access the personal data a company holds about them, correct inaccuracies, and request deletion in certain circumstances.
• Recourse, enforcement, and liability. Companies must designate independent recourse mechanisms to handle individual complaints at no cost to the individual. Binding arbitration through the Privacy Shield Panel is available as a last resort.

The Privacy Shield’s Arbitration Mechanism in Practice

The binding arbitration option — the Privacy Shield Panel — was one of the key innovations designed to address the CJEU’s concern that EU individuals had no effective legal remedy against US companies. Under the Panel, an EU individual who has exhausted other Privacy Shield recourse mechanisms and is still not satisfied with the resolution can invoke binding arbitration. The arbitration is conducted under rules developed jointly by the US and EU, and the Panel has authority to award individual-specific non-monetary equitable relief — meaning it can order a company to stop specific processing or to delete data, but it cannot award monetary compensation.

The Panel is not an option for claims about the adequacy of Privacy Shield itself — those challenges must go through EU data protection authorities. But for individual complaints about company compliance with Privacy Shield principles, the Panel provides a meaningful last resort that did not exist under Safe Harbor.

Schrems II and the Current Transatlantic Data Transfer Landscape

Privacy Shield itself was struck down by the CJEU in July 2020 in Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems (Case C-311/18, commonly called “Schrems II”) — again on grounds that US surveillance law provided inadequate protection for EU data subjects. The EU-US Data Privacy Framework (DPF) was subsequently negotiated and adopted in July 2023 as a replacement, with additional commitments from the US government regarding limitations on intelligence agency access to EU data.

US companies currently have three primary legal mechanisms for transferring personal data from the EU to the US: (1) participation in the EU-US Data Privacy Framework; (2) execution of Standard Contractual Clauses (SCCs) adopted by the European Commission; and (3) in limited circumstances, Binding Corporate Rules for intra-group transfers. Each mechanism has its own compliance requirements, and the correct choice depends on the nature of the company’s business, the volume of data transferred, and the risk tolerance of the company.

E-Commerce Compliance Checklist for Transatlantic Data Transfers

For US e-commerce companies serving EU customers, the practical compliance obligations are significant:

• Update privacy notices to clearly identify the legal basis for data transfers and the mechanism used (DPF certification, SCCs, or other).
• If using the EU-US DPF, certify annually with the Department of Commerce and keep the certification current. Lapsed certification eliminates the legal basis for the transfer.
• Map all data flows to identify where EU personal data is transferred and to which processors or sub-processors.
• Audit third-party contracts to ensure processors are bound by appropriate data protection obligations.
• Implement a data breach notification process that satisfies both the GDPR’s 72-hour notification requirement and US state breach notification laws.
• Designate a point of contact for EU individual rights requests and establish a process for responding within the GDPR’s one-month deadline.

Talk to an Attorney

Transatlantic data transfer compliance is not a set-it-and-forget-it exercise. The legal landscape has changed multiple times since 2015 and will continue to evolve. US e-commerce companies that rely on EU customer data need current, accurate advice about the legal mechanism they are using and the obligations that come with it. Contact Revision Legal’s internet privacy attorneys through the form on this page or call 855-473-8474.