The United States - Privacy Shield, Schrems II and the Data Privacy Framework
Privacy Shield replaced Safe Harbor (adequacy decision 12 July 2016, in force 1 August 2016) with seven strengthened principles and extra safeguards. The CJEU invalidated Privacy Shield on 16 July 2020 in Schrems II, finding US surveillance law not essentially equivalent and the ombudsperson inadequate. A successor, the Trans-Atlantic Data Privacy Framework, was announced in March 2022.
The Commission's Privacy Shield adequacy decision came 12 July 2016; it entered operation 1 August 2016. US firms under FTC or DOT jurisdiction could self-certify with the DOC (excluding many banks, financial-services and telecoms firms). Its documentation was far more detailed, with extra checks and balances and official US government assurances on access to data.
- Notice
- Choice
- Accountability for onward transfer
- Security
- Data integrity and purpose limitation
- Access
- Recourse, enforcement, and liability
The WP29's April 2016 opinion warned of missing EU principles, complex redress, possible massive and indiscriminate collection by US intelligence, and a weak ombudsperson. On 16 July 2020, the CJEU in Schrems II invalidated Privacy Shield with immediate effect, finding US law on government access not essentially equivalent and the ombudsperson mechanism inadequate.
In March 2022 the Biden administration and the Commission announced the Trans-Atlantic Data Privacy Framework to address the shortcomings and withstand future challenge.