EU US PRIVACY SHIELD FRAMEWORK 1. Introduction

1. Directive 95/46/EC sets the rules for transfers of personal data from the Member States to third countries to the extent that such transfers fall within its scope.
2. Article 1 of Directive 95/46/EC and recitals 2 and 10 in its preamble seek to ensure not only effective and complete protection of the fundamental rights and freedoms of natural persons, in particular the fundamental right to respect for private life with regard to the processing of personal data, but also a high level of protection of those fundamental rights and freedoms[1].
3. The importance of both the fundamental right to respect for private life, guaranteed by Article 7 and the fundamental right to the protection of personal data, guaranteed by Article 8 of the Charter of Fundamental Rights of the European Union, has been emphasised in the case-law of the Court of Justice[2].
4. Pursuant to Article 25(1) of Directive 95/46/EC Member States are required to provide that the transfer of personal data to a third country may take place only if the third country in question ensures an adequate level of protection and the Member State laws implementing other provisions of the Directive are respected prior to the transfer. The Commission may find that a third country ensures such an adequate level of protection by reason of its domestic law or of the international commitments it has entered into in order to protect the rights of individuals. In that case, and without prejudice to compliance with the national provisions adopted pursuant to other provisions of the Directive, personal data may be transferred from the Member States without additional guarantees being necessary.
5. Pursuant to Article 25(2) of Directive 95/46/EC, the level of data protection afforded by a third country should be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations, including the rules of law, both general and sectoral, in force in the third country in question.
6. In Commission Decision 2000/520/EC[3], for the purposes of Article 25(2) of Directive 95/46/EC, the ‘Safe Harbour Privacy Principles’, implemented in accordance with the guidance provided by the so-called ‘Frequently Asked Questions’ issued by the U.S. Department of Commerce, were considered to ensure an adequate level of protection for personal data transferred from the Union to organisations established in the United States.
7. In its Communications COM(2013) 846 final[4] and COM(2013) 847 final of 27 November 2013[5], the Commission considered that the fundamental basis of the Safe Harbour scheme had to be reviewed and strengthened in the context of a number of factors, including the exponential increase in data flows and their critical importance for the transatlantic economy, the rapid growth of the number of U.S. companies adhering to the Safe Harbour scheme and new information on the scale and scope of certain U.S. intelligence programs which raised questions as to the level of protection it could guarantee. In addition, the Commission identified a number of shortcomings and deficiencies in the Safe Harbour scheme.
8. Based on evidence gathered by the Commission, including information stemming from the work of the EU-U.S. Privacy Contact Group[6] and the information on U.S. intelligence programs received in the ad hoc EU-U.S. Working Group[7], the Commission formulated 13 recommendations for a review of the Safe Harbour scheme. These recommendations focused on strengthening the substantive privacy principles, increasing the transparency of U.S. self-certified companies’ privacy policies, better supervision, monitoring and enforcement by the U.S. authorities of compliance with those principles, the availability of affordable dispute resolution mechanisms, and the need to ensure that the use of the national security exception provided in Decision 2000/520/EC is limited to an extent that is strictly necessary and proportionate.
9. In its judgment of 6 October 2015 in Case C-362/14, Maximillian Schrems v Data Protection Commissioner[8], the Court of Justice of the European Union declared Decision 2000/520/EC invalid. Without examining the content of the Safe Harbour Privacy Principles, the Court considered that the Commission had not stated in that decision that the United States in fact ‘ensured’ an adequate level of protection by reason of its domestic law or its international commitments[9].
10. In this regard, the Court of Justice explained that, while the term ‘adequate level of protection’ in Article 25(6) of Directive 95/46/EC does not mean a level of protection identical to that guaranteed in the EU legal order, it must be understood as requiring the third country to ensure a level of protection of fundamental rights and freedoms ‘essentially equivalent’ to that guaranteed within the Union by virtue of Directive 95/46/EC read in the light of the Charter of Fundamental Rights. Even though the means to which that third country has recourse, in this connection, may differ from the ones employed within the Union, those means must nevertheless prove, in practice, effective[10].
11. The Court of Justice criticised the lack of sufficient findings in Decision 2000/520/EC regarding the existence, in the United States, of rules adopted by the State intended to limit any interference with the fundamental rights of the persons whose data is transferred from the Union to the United States, interference which the State entities of that country would be authorised to engage in when they pursue legitimate objectives, such as national security, and the existence of effective legal protection against interference of that kind[11].
12. In 2014 the Commission had entered into talks with the U.S. authorities in order to discuss the strengthening of the Safe Harbour scheme in line with the 13 recommendations contained in Communication COM(2013) 847 final. After the judgment of the Court of Justice of the European Union in the Schrems case, these talks were intensified, with a view to a possible new adequacy decision which would meet the requirements of Article 25 of Directive 95/46/EC as interpreted by the Court of Justice. The documents which are annexed to this decision and will also be published in the U.S. Federal Register are the result of these discussions. The privacy principles (Annex II), together with the official representations and commitments by various U.S. authorities contained in the documents in Annexes I, III to VII, constitute the ‘EU-U.S. Privacy Shield’.
13. The Commission has carefully analysed U.S. law and practice, including these official representations and commitments. Based on the findings developed in recitals 136-140, the Commission concludes that the United States ensures an adequate level of protection for personal data transferred under the EU-U.S. Privacy Shield from the Union to self-certified organisations in the United States.

[1] Case C-362/14, Maximillian Schrems v Data Protection Commissioner (‘Schrems’), EU:C:2015:650, paragraph 39

[2] Case C-553/07, Rijkeboer, EU:C:2009:293, paragraph 47; Joined Cases C-293/12 and C-594/12, Digital Rights Ireland and Others, EU:C:2014:238, paragraph 53; Case C-131/12, Google Spain and Google, EU:C:2014:317, paragraphs 53, 66 and 74.

[3] Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the U.S. Department of Commerce (OJ L 215, 28.8.2000, p. 7).

[4] Communication from the Commission to the European Parliament and the Council Rebuilding Trust in EU-U.S. Data Flows, COM(2013) 846 final of 27 November 2013.

[5] Communication from the Commission to the European Parliament and the Council on the Functioning of the Safe Harbour from the Perspective of EU Citizens and Companies established in the EU, COM(2013) 847 final of 27 November 2013.

[6] See e.g. Council of the European Union, Final Report by EU-US High Level Contact Group on information sharing and privacy and personal data protection, Note 9831/08, 28 May 2008, available on the internet at: http://www.europarl.europa.eu/document/ activities/cont/201010/20101019ATT88359/20101019ATT88359EN.pdf.

[7] Report on the Findings by the EU Co-chairs of the ad hoc EU-U.S. Working Group on Data Protection, 27 November 2013, available on the internet at: http://ec.europa.eu/justice/data-protection/files/report-findings-of-the-ad-hoc-eu-us-working-group-on-data-protection. pdf.

[8] See footnote 3.

[9] Schrems, paragraph 97.

[10] Schrems, paragraphs 73-74.

[11] Schrems, paragraph 88-89.