1. The EU-U.S. Privacy Shield is based on a system of self-certification by which U.S. organisations commit to a set of privacy principles — the EU-U.S. Privacy Shield Framework Principles, including the Supplemental Principles (hereinafter together: ‘the Principles’) — issued by the U.S. Department of Commerce and contained in Annex II to this decision. It applies to both controllers and processors (agents), with the specificity that processors must be contractually bound to act only on instructions from the EU controller and assist the latter in responding to individuals exercising their rights under the Principles[1].
  2. Without prejudice to compliance with the national provisions adopted pursuant to Directive 95/46/EC, the present decision has the effect that transfers from a controller or processor in the Union to organisations in the U.S. that have self-certified their adherence to the Principles with the Department of Commerce and have committed to comply with them are allowed. The Principles apply solely to the processing of personal data by the U.S. organisation in as far as processing by such organisations does not fall within the scope of Union legislation.[2] The Privacy Shield does not affect the application of Union legislation governing the processing of personal data in the Member States[3].
  3. The protection afforded to personal data by the Privacy Shield applies to any EU data subject[4] whose personal data have been transferred from the Union to organisations in the U.S. that have self-certified their adherence to the Principles with the Department of Commerce.
  4. The Principles apply immediately upon certification. One exception relates to the Accountability for Onward Transfer Principle in a case where an organisation self-certifying to the Privacy Shield already has pre-existing commercial relationships with third parties. Given that it may take some time to bring those commercial relationships into conformity with the rules applicable under the Accountability for Onward Transfer Principle, the organisation will be obliged to do so as soon as possible, and in any event no later than nine months from self-certification (provided that this takes places in the first two months following the day when the Privacy Shield becomes effective). During this interim period, the organisation must apply the Notice and Choice Principle (thus allowing the EU data subject an opt-out) and, where personal data is transferred to a third party acting as an agent, must ensure that the latter provides at least the same level of protection as is required by the Principles[5]. This transitional period provides a reasonable and appropriate balance between the respect for the fundamental right to data protection and the legitimate needs of businesses to have sufficient time to adapt to the new framework where this also depends on their commercial relationships with third parties.
  5. The system will be administered and monitored by the Department of Commerce based on its commitments set out in the representations from the U.S. Secretary of Commerce (Annex I to this decision). With regard to the enforcement of the Principles, the Federal Trade Commission (FTC) and the Department of Transportation have made representations that are contained in Annex IV and Annex V to this decision.

[1] See Annex II, Sec. III.10.a. In line with the definition in Sec. I.8.c., the EU controller will determine the purpose and means of processing of the personal data. Moreover, the contract with the agent has to make clear whether onward transfers are allowed (see Sec. III.10.a.ii.2.).

[2] This applies also where human resources data transferred from the Union in the context of the employment relationship are concerned. While the Principles stress the ‘primary responsibility’ of the EU employer (see Annex II, Sec. III.9.d.i.), they at the same time make clear that its conduct will be covered by the rules applicable in the Union and/or respective Member State, not the Principles. See Annex II, Sec. III.9.a.i., b.ii., c.i., d.i.

[3] This applies also to processing that takes place through the use of equipment situated in the Union but used by an organisation established outside the Union (see Article 4(1)(c) of Directive 95/46/EC). As of 25 May 2018, the General Data Protection Regulation (GDPR) will apply to the processing of personal data (i) in the context of the activities of an establishment of a controller or processor in the Union (even where the processing takes place in the United States), or (ii) of data subjects who are in the Union by a controller or processor not established in the Union where the processing activities are related to (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union. See Article 3(1), (2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).

[4] The present decision has EEA relevance. The Agreement on the European Economic Area (EEA Agreement) provides for the extension of the European Union’s internal market to the three EEA States Iceland, Liechtenstein and Norway. The Union data protection legislation, including Directive 95/46/EC, is covered by the EEA Agreement and has been incorporated into Annex XI thereof. The EEA Joint Committee has to decide on the incorporation of the present decision into the EEA Agreement. Once the present decision applies to Iceland, Liechtenstein and Norway, the EU-U.S. Privacy Shield will also cover these three countries and references in the Privacy Shield package to the EU and its Member States shall be read as including Iceland, Liechtenstein and Norway.

[5] See Annex II, Sec. III.6.e.