The EU-US Privacy Shield, which came into force on August 1, 2016, following an implementing decision by the EU Commission, is intended to provide legal clarity for companies in the European Union and Switzerland when transferring personal data to the US. According to EU Directive 95/46/EC, which has since been repealed, and Art. 44 and Art. 45 of the GDPR, which have been in force since May 25, 2018, personal data may only be transferred to a third country if an appropriate level of protection is ensured there. The US is regarded as such an “unsafe” third country. Data transfers to US companies that are certified in accordance with the requirements of the EU-US Privacy Shield do not therefore require any special approval. The list of the International Trade Administration (ITA), a subordinate authority of the US Department of Commerce, now includes over 5,000 certified US companies. The previous model, Safe Harbor, was declared invalid by the ECJ on October 6, 2015 (Case No.: C-362/14), as a result of a lawsuit filed by data protection activist Maximilian Schrems.
One of the points of criticism aimed at the Privacy Shield is the self-certification of companies. Verification by an independent body is not carried out. In contrast to Safe Harbor, certified US companies face sanctions if their commitments are not met. A further point of criticism is the government access to stored data granted by US legislation (e.g., the USA PATRIOT ACT). According to the EU Commission, the US government has provided written assurance that access to personal data from EU citizens will be subject to significant restrictions and controls in the future. However, no binding contractual regulation exists.
Progress on the points of criticism was reported from the third annual review of the EU-US Privacy Shield by the EU Commission. The appointment of Keith Krachs as ombudsman is mentioned as a positive aspect. Praise was also given for the now random monitoring of compliance with the agreement. Recommended improvements included controls on compliance with the material requirements, the scope of controls and the facilitation of recertification.
The opinion of the EU Advocate General on the reference for a preliminary ruling from the High Court of Ireland is expected on December 12. The binding ruling of the ECJ is expected a few weeks later. Maximilian Schrems expects the ECJ to declare the Privacy Shield invalid.