Q1: Can a Privacy Shield participant rely on the EU-U.S. Privacy Shield Framework to receive personal data from the European Union in light of the July 16, 2020 decision by the Court of Justice of the European Union (CJEU)? 
  • On July 16, 2020, the Court of Justice of the European Union issued a judgment declaring as “invalid” the European Commission’s Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-U.S. Privacy Shield. As a result of that decision, the EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. This decision does not relieve participants in the EU-U.S. Privacy Shield of their obligations under the EU-U.S. Privacy Shield Framework. 
  • The United States remains committed to working with the EU to ensure continuity in transatlantic data flows and privacy protections. The U.S. Department of Commerce has been and will remain in close contact with the European Commission and European Data Protection Board on this matter and hopes to be able to limit the negative consequences of the decision to the transatlantic data flows that are so vital to our respective citizens, companies, and governments.
  • As U.S. Secretary of Commerce Wilbur Ross noted on July 16, 2020, “The Department of Commerce will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List.” 
  • If you have questions, please contact the European Commission, the appropriate European national data protection authority or legal counsel.

Q2: Will there be a delay or moratorium on enforcement by EU data protection authorities in light of the July 16, 2020 decision by the CJEU?  
  • On July 17, 2020, the European Data Protection Board (EDPB), which is an independent European body that contributes to the consistent application of data protection rules throughout the European Union and promotes cooperation between the EU’s data protection authorities, issued a statement noting, among other things, that “The EDPB intends to continue playing a constructive part in securing a transatlantic transfer of personal data that benefits EEA citizens and organisations and stands ready to provide the European Commission with assistance and guidance to help it build, together with the U.S., a new framework that fully complies with EU data protection law.”
  • On July 23, 2020 the EDPB adopted guidance to a set of frequently asked questions on the July 16, 2020 decision by the CJEU noting, among other things, that there is no grace period during which an organization can keep on transferring data to the United States without assessing its legal basis for the transfer.
  • If you have questions, please contact the appropriate European national data protection authority or legal counsel.

Q3: Why should U.S.-based organizations participate in the EU-U.S. Privacy Shield Framework in light of the July 16, 2020 decision by the CJEU?
  • The July 16, 2020 decision by the CJEU does not relieve participants in the EU-U.S. Privacy Shield of their obligations under the EU-U.S. Privacy Shield Framework. On July 21, 2020, the Federal Trade Commission (FTC) noted that “We continue to expect companies to comply with their ongoing obligations with respect to transfers made under the Privacy Shield Framework.”
  • In addition, organizations’ continued participation in the EU-U.S. Privacy Shield demonstrates a serious commitment to protect personal information in accordance with a set of privacy principles that offer meaningful privacy protections and recourse for EU individuals. 
  • For help determining the most appropriate data transfer mechanism for an organization, please contact the European Commission, the appropriate European national data protection authority or legal counsel.

Q4: Have the requirements regarding re-certification under the EU-U.S. Privacy Shield Framework changed in light of the July 16, 2020 decision by the CJEU?  
  • The U.S. Department of Commerce’s International Trade Administration (ITA) continues to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield and maintaining the Privacy Shield List.
  • Organizations continue to be required to re-certify annually if they wish to remain on the Privacy Shield List. Please see the guidance provided at https://www.privacyshield.gov/article?id=How-to-Re-certify-to-Privacy-Shield for more information on how to re-certify to Privacy Shield.
  • Organizations continue to be required to pay an annual processing fee to the ITA in order to participate in the Privacy Shield, as the cost recovery program supports the administration and supervision of the Privacy Shield program. The annual processing fee is generally not refundable.
  • Organizations continue to have additional direct costs associated with participation in the Privacy Shield. For example, Privacy Shield organizations must provide a readily available independent recourse mechanism to hear individual complaints at no cost to the individual. Providers of such services set their own fees. Furthermore, the Privacy Shield provides the option for an EU or Swiss individual, as appropriate, to invoke binding arbitration to determine whether a Privacy Shield organization has violated its obligations under the Privacy Shield Principles as to that individual and whether any such violation remains fully or partially unremedied. The U.S. Department of Commerce facilitated the establishment of a fund into which Privacy Shield organizations are required to make contributions to cover the arbitral costs as described in Annex I to the Privacy Shield Principles. The International Centre for Dispute Resolution-American Arbitration Association (ICDR-AAA) was selected to administer these arbitrations and manage this fund. 

Q5: Have the requirements regarding withdrawal from the EU-U.S. Privacy Shield Framework changed in light of the July 16, 2020 decision by the CJEU?
  • The U.S. Department of Commerce’s International Trade Administration (ITA) continues to administer the Privacy Shield program, including processing submissions for withdrawal from the Privacy Shield and maintaining both the Privacy Shield List and a record of organizations that have been removed from the Privacy Shield List.
  • Organizations may withdraw from the Privacy Shield at any time; however, they must meet ongoing requirements related to data received under the Privacy Shield and must remove from their websites, privacy policy statements, and any other public documents any representations that could be construed as claims that they participate in or comply with the Privacy Shield. Please see the Privacy Shield Principles and the guidance provided at https://www.privacyshield.gov/article?id=Withdrawal-from-Privacy-Shield for more information on withdrawal from the Privacy Shield, including the requirement to complete and return to the ITA a withdrawal questionnaire to verify whether the organization will return, delete, or continue to apply the Privacy Shield Principles to the personal information that it received while participating in the Privacy Shield, and if personal information will be retained who within the organization will serve as an ongoing point of contact for Privacy Shield-related questions.
  • Organizations continue to be required to pay an annual processing fee to the ITA in order to participate in the Privacy Shield, as the cost recovery program supports the administration and supervision of the Privacy Shield program. The annual processing fee is generally not refundable.