U.S., EU Launch "Privacy Shield" Data Transfer Framework, Certification to Begin August 1


U.S. organizations that collect, receive, handle, or process EU citizens' personal data are generally subject to EU privacy and data protection laws.

With the loss of the "Safe Harbor" data transfer framework in October 2015, thousands of U.S. organizations lost their primary mechanism for complying with those EU laws. The new "Privacy Shield" data transfer framework replaces the Safe Harbor and allows U.S. organizations that take part in the Privacy Shield to legally collect and process personal data of EU citizens.

Three Key Takeaways

The EU-U.S. Privacy Shield was formally approved on July 12, and the Department of Commerce will begin accepting applications to join the Privacy Shield program starting on August 1. U.S. organizations that wish to participate must:

What Is the Privacy Shield?

The Privacy Shield is a binding data transfer framework that governs the transfer, handling, sharing and use of EU citizens' personal data within the United States. Compared to the Safe Harbor, the Privacy Shield imposes stricter and more comprehensive data protection obligations on U.S. organizations that handle EU personal data.

Which Organizations Are Affected?

All U.S. entities—large or small—that process[1] personal data of EU citizens must comply with either the Privacy Shield or another EU-approved data transfer framework, such as model contracts or binding corporate rules (BCR), or otherwise face enforcement actions and liability from individuals and government regulators alike.

The Department of Commerce will serve as the primary regulator of the Privacy Shield program for most U.S. organizations. It will maintain a public list of organizations that have joined the program, and is required to conduct regular reviews of participating organizations to verify and enforce compliance. The Federal Trade Commission (FTC) and the Department of Transportation (DOT) also are empowered to monitor and enforce the Privacy Shield's obligations within their respective areas of authority.

What Obligations Does the Privacy Shield Impose on U.S. Organizations?

The central feature of the Privacy Shield is a self-certification system by which U.S. organizations voluntarily commit to seven Privacy Principles based on the EU Data Protection Directive[2] and, where applicable, additional Supplemental Principles promulgated by the Department of Commerce.[3] These Principles become legally binding and enforceable against organizations that join the Privacy Shield program.

The Privacy Principles include:

Why Should U.S. Organizations Consider Joining the Privacy Shield Framework?

The Privacy Shield allows U.S. organizations to legally process EU personal data. U.S. organizations that process EU personal data outside of an approved framework, such as the Privacy Shield, can face significant liability. Sanctions can include civil and/or criminal liability under EU data protection laws, enforcement actions from government agencies, and lawsuits from EU citizens.[5]

Key Considerations for U.S.-Based Organizations

U.S. organizations that collect and process EU personal data and that are not currently a party to an EU-approved data transfer framework should consider taking the following steps to prepare for Privacy Shield implementation:

Finally, it is worth noting that the Privacy Shield faces an uncertain future. EU privacy advocates have threatened to challenge the Privacy Shield in court, arguing that it does not provide sufficient protection for EU citizens' personal privacy, which is the same claim that sank the Safe Harbor. It is unclear whether the Privacy Shield's more robust protections would survive judicial review.


[1] Processing is broadly defined to include handling, receiving, collecting, sending, using, storing, altering and deleting personally identifiable information.

[2] Commission Implementing Decision, ¶¶ 19–29 (July 12, 2016).

[3] Annexes to the Commission Implementing Decision, pp. 24–46 (July 12, 2016)

[4] Annexes to the Commission Implementing Decision, p. 29 (July 12, 2016)

[5] Congress passed the Judicial Redress Act earlier this year, which granted EU citizens the right to enforce EU privacy rights in U.S. courts and extended the rights and protections of the 1974 Privacy Act to EU citizens.


©2025 Katten Muchin Rosenman LLP
National Law Review, Volume VI, Number 200