Last updated: August 20, 2020

Q1: Can a Privacy Shield participant rely on the EU-U.S. Privacy Shield Framework to receive personal data from the European Union in light of the July 16, 2020 decision by the Court of Justice of the European Union (CJEU)? 
  • On July 16, 2020, the Court of Justice of the European Union issued a judgment declaring as “invalid” the European Commission’s Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-U.S. Privacy Shield. As a result of that decision, the EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. This decision does not relieve participants in the EU-U.S. Privacy Shield of their obligations under the EU-U.S. Privacy Shield Framework. 
  • The United States remains committed to working with the EU to ensure continuity in transatlantic data flows and privacy protections. The U.S. Department of Commerce has been and will remain in close contact with the European Commission and European Data Protection Board on this matter and hopes to be able to limit the negative consequences of the decision to the transatlantic data flows that are so vital to our respective citizens, companies, and governments.
  • On August 10, 2020, U.S. Secretary of Commerce Wilbur Ross and European Commissioner for Justice Didier Reynders issued a joint statement noting that “The U.S. Department of Commerce and the European Commission have initiated discussions to evaluate the potential for an enhanced EU-U.S. Privacy Shield framework to comply with the July 16 judgment of the Court of Justice of the European Union in the Schrems II case.”
  • The Department will continue to administer the Privacy Shield program while those discussions proceed. As U.S. Secretary of Commerce Wilbur Ross noted on July 16, 2020, “The Department of Commerce will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List.”
  • If you have questions, please contact the European Commission, the appropriate European national data protection authority or legal counsel.

Q2: Will there be a delay or moratorium on enforcement by EU data protection authorities in light of the July 16, 2020 decision by the Court of Justice of the European Union (CJEU)?
  • On July 17, 2020, the European Data Protection Board (EDPB), which is an independent European body that contributes to the consistent application of data protection rules throughout the European Union and promotes cooperation between the EU’s data protection authorities, issued a statement noting, among other things, that “The EDPB intends to continue playing a constructive part in securing a transatlantic transfer of personal data that benefits EEA citizens and organisations and stands ready to provide the European Commission with assistance and guidance to help it build, together with the U.S., a new framework that fully complies with EU data protection law.”
  • On July 23, 2020, the EDPB adopted guidance to a set of frequently asked questions on the July 16, 2020 decision by the CJEU noting, among other things, that there is no grace period during which an organization can keep on transferring data to the United States without assessing its legal basis for the transfer.
  • The U.S. Department of Commerce has been and will remain in close contact with the EDPB on this matter.
  • If you have questions, please contact the appropriate European national data protection authority or legal counsel.

 Q3: Why should U.S.-based organizations participate in the EU-U.S. Privacy Shield Framework in light of the July 16, 2020 decision by the Court of Justice of the European Union (CJEU)?
  • Organizations’ continued participation in the EU-U.S. Privacy Shield demonstrates a serious commitment to protect personal information in accordance with a set of privacy principles that offer meaningful privacy protections and recourse for EU individuals.
  • The July 16, 2020 decision by the CJEU does not relieve participants in the EU-U.S. Privacy Shield of their obligations under the EU-U.S. Privacy Shield Framework. On August 5, 2020, Federal Trade Commission (FTC) Chairman Joseph Simons noted with reference to the July 16, 2020 decision by the CJEU that “We stand ready to support the administration’s efforts in this area, but at the same time we will continue to hold companies accountable for their privacy commitments, including promises made under the Privacy Shield.”
  • As noted in the August 10, 2020 joint statement, the U.S. Department of Commerce and the European Commission are discussing the potential for an enhanced EU-U.S. Privacy Shield Framework to comply with the July 16, 2020 decision by the CJEU. The Department is continuing to administer the Privacy Shield program while those discussions proceed.
  • For help determining the most appropriate data transfer mechanism for an organization, please contact the European Commission, the appropriate European national data protection authority or legal counsel.

Q4: Have the requirements regarding re-certification under the EU-U.S. Privacy Shield Framework changed in light of the July 16, 2020 decision by the Court of Justice of the European Union (CJEU)?
  • The U.S. Department of Commerce’s International Trade Administration (ITA) continues to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield and maintaining the Privacy Shield List.
  • Organizations continue to be required to re-certify annually if they wish to remain on the Privacy Shield List. Please see the guidance on how to re-certify to Privacy Shield for additional information on the re-certification requirements, including the requirement to provide a readily available independent recourse mechanism to hear individual complaints at no cost to the individual and the requirement to contribute to a fund to cover the arbitral costs as described in Annex I to the Privacy Shield Principles. 
  • Organizations continue to be required to pay an annual processing fee to the ITA in order to participate in the Privacy Shield, as the cost recovery program supports the administration and supervision of the Privacy Shield program. The annual processing fee is generally not refundable.

Q5: Have the requirements regarding withdrawal from the EU-U.S. Privacy Shield Framework changed in light of the July 16, 2020 decision by the Court of Justice of the European Union (CJEU)?
  • The U.S. Department of Commerce’s International Trade Administration (ITA) continues to administer the Privacy Shield program, including processing submissions for withdrawal from the Privacy Shield and maintaining both the Privacy Shield List and a record of organizations that have been removed from the Privacy Shield List.
  • Organizations may withdraw from the Privacy Shield at any time; however, they must meet ongoing requirements related to data received under the Privacy Shield and must remove from their websites, privacy policy statements, and any other public documents any representations that could be construed as claims that they participate in or comply with the Privacy Shield. Please see the Privacy Shield Principles and the guidance on withdrawal from the Privacy Shield for additional information on the withdrawal requirements, including the requirement to complete and return to the ITA a withdrawal questionnaire to verify what the organization will do with the personal information that it received while participating in the Privacy Shield, and if personal information will be retained who within the organization will serve as an ongoing point of contact for Privacy Shield-related questions.
  • The annual processing fee that organizations are required to pay to the ITA in order to participate in the Privacy Shield is generally not refundable.