The EU-US Privacy Shield Framework was developed by the US Department of Commerce and the European Commission to facilitate compliance with personal data protection requirements when transferring personal data from the European Union to the United States. Organizations participating in the program were deemed to provide “adequate” privacy protection outside of the European Union under the EU Data Protection Directive (GDPR).

On July 16, 2020, the Court of Justice of the European Union (CJEU) issued a judgment declaring the inadequacy of the protections provided by the EU-US Privacy Shield Framework. As a result of the decision, the framework is no longer a valid mechanism to comply with the GDPR when transferring personal data from the European Union to the United States.  The economic consequences and implications are enormous, impacting more than 5,300 European and U.S. companies that represent millions of transatlantic jobs and over $7.1 trillion in commercial transactions.

The decision of the CJEU is complex, It is based upon an analysis of U.S. surveillance programs and how they compare with the requirements of equivalent programs under EU law. The CJEU took issue with two aspects of U.S. surveillance programs: First was the principle of proportionality, finding that the collection of personal data under such surveillance programs is “not limited to what is strictly necessary.” Second, that data subjects are not granted actionable rights before the courts against the US authorities. A copy of the CJEU press release concerning the decision can be found here: https://spelusolawoffice.com/wp-content/uploads/2020/07/cp200091en.pdf.

The U.S. Department of Commerce continues to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List, while it works with the European Commission to resolve deficiencies in the program.