EU-US Privacy Shield(Note: This article is an update on our first article about Privacy Shield posted in the February  2016 edition of GZ News.)

~By Ted Haas, Global-Z Chief Marketing Officer (CMO)

On February 2nd, 2016 the US Department of Commerce and European Commission issued a press release that outlined some key changes to the EU-US Safe Harbor; now dubbed the “Privacy Shield.”   This agreement replaces Safe Harbor, which was declared invalid on October 6th, 2015.

Here are some of the key updates since this major decision has been announced.




Overview: What is Privacy Shield?

  • It is a robust framework under which personal data of EU individuals will be protected when it is transferred to the US.
  • It replaces Safe Harbor –declared invalid by EU Court October 6th, 2015.
  • It is a voluntary self-certification to the US Dept. of Commerce.
  • Once a company publicly commits to Privacy Shield, it is enforceable under US law.
  • It includes multiple avenues of redress to resolve complaints.
  • Privacy Shield companies must select an independent dispute resolution organization.
    • Panel created by the EU Data Protection Authorities (DPA’s).
    • Accredited organization in EU.
    • Accredited organization in US.
  • There are special provisions for HR personal information.
  • It is a ‘living commitment’ with annual review.
  • Privacy Shield will be effective with final approval of European Commission (est. June 2016).


7 Principles and 16 Supplemental Principles define the core provisions of the Privacy Shield framework.

Main Principles:

  1. Notice
  2. Choice
  3. Accountability for Onward Transfer
  4. Security
  5. Data Integrity and Purpose Limitations
  6. Access
  7. Recourse, Enforcement and Liability


16 Supplemental Principles:

  1. Sensitive Data
  2. Journalistic exceptions
  3. Secondary Liability
  4. Performing Due Diligence and Conducting Audits
  5. Role of the Data Protection Authorities
  6. Self – Certification
  7. Verification
  8. Access
  9. Human Resource Data
  10. Obligatory Contracts for Onward Transfers
  11. Dispute Resolution and Enforcement
  12. Choice-Timing of Opt Out
  13. Travel Information
  14. Pharmaceutical and Medical Products
  15. Public Record and Publicly Available Information
  16. Access Requests by Public Authorities

If you would like to discuss Privacy Shield in greater detail and/or the specific impact on your company feel free to contact us any time.

The US Department of Commerce has issued a “Fact Sheet” overview of the EU-US Privacy Shield Framework it can be found here.

Privacy Shield will be complex; we strongly recommend consulting legal counsel with international privacy law expertise.