Privacy Shield News and Events

Privacy Shield-Related News 

  • March 25, 2022: The United States and the European Commission announced that they have agreed in principle on a new “Trans-Atlantic Data Privacy Framework”, which will foster trans-Atlantic data flows and address the concerns raised by the Court of Justice of the European Union in the Schrems II decision of July 2020. The Trans-Atlantic Data Privacy Framework reflects more than a year of detailed negotiations and marks an unprecedented commitment by the United States to implement reforms that will strengthen the privacy and civil liberties protections applicable to U.S. signals intelligence activities. Those forthcoming reforms will ultimately underpin all commercial transfers of EU personal data to the United States, including those made in reliance on the EU-U.S. Privacy Shield, Standard Contractual Clauses, and Binding Corporate Rules. The Trans-Atlantic Data Privacy Framework will allow the European Commission to issue a new adequacy decision, which will permit the transfer of EU personal data to the United States under the EU-U.S. Privacy Shield consistent with EU law.  After that decision is issued, organizations wishing to use the EU-U.S. Privacy Shield to receive EU personal data will continue to be required to adhere to the Privacy Shield Principles, including the requirement to self-certify annually their adherence to the Principles through the U.S. Department of Commerce.  The name EU-U.S. Privacy Shield and the requirements applicable to participating organizations will remain the same. The Department will continue to provide timely updates on the status of the EU-U.S. Privacy Shield as a basis for transfers of EU personal data to the United States, including as relates to the issuance by the European Commission of a new adequacy decision.
  • March 25, 2022: U.S. Secretary of Commerce Gina Raimondo Statement on the Announcement of the Trans-Atlantic Data Privacy Framework
  • March 15, 2022: The Federal Trade Commission (FTC) filed an administrative complaint against Residual Pumpkin Entity, LLC, formerly doing business as CafePress, and PlanetArt, LLC, doing business as CafePress since September 2020, for allegedly engaging in acts and practices that constitute unfair or deceptive trade practices in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act. According to the complaint, these acts and practices include misrepresenting CafePress’s data security practices, engaging in unfair data security practices, and misrepresentations relating to the Privacy Shield frameworks. Additional information concerning this matter can be found here and information concerning other Privacy Shield-related FTC enforcement actions can be found here.
  • March 25, 2021: U.S. Secretary of Commerce Gina Raimondo and European Commissioner for Justice Didier Reynders issued a joint statement noting in part that “The U.S. Government and the European Commission have decided to intensify negotiations on an enhanced EU-U.S. Privacy Shield framework to comply with the July 16, 2020 judgment of the Court of Justice of the European Union in the Schrems II case. These negotiations underscore our shared commitment to privacy, data protection, and the rule of law and our mutual recognition of the importance of transatlantic data flows to our respective citizens, economies, and societies.” The Privacy Shield and transatlantic data flows are a top priority for the Biden Administration.
  • September 28, 2020: The U.S. Government released a white paper to assist organizations in assessing whether their EU-U.S. data transfers offer appropriate protection in accordance with the ECJ’s Schrems II ruling.
  • September 8, 2020: The Federal Data Protection and Information Commissioner (FDPIC) of Switzerland issued an opinion concluding that the Swiss-U.S. Privacy Shield Framework does not provide an adequate level of protection for data transfers from Switzerland to the United States pursuant to Switzerland’s Federal Act on Data Protection (FADP). As a result of that opinion, organizations wishing to rely on the Swiss-U.S. Privacy Shield to transfer personal data from Switzerland to the United States should seek guidance from the FDPIC or legal counsel. That opinion does not relieve participants in the Swiss-U.S. Privacy Shield of their obligations under the Swiss-U.S. Privacy Shield Framework. As we work to resolve the situation, the U.S. Department of Commerce will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List. If you have questions, please contact the FDPIC or legal counsel.
  • August 10, 2020: Joint Press Statement from Former U.S. Secretary of Commerce Wilbur Ross and European Commissioner for Justice Didier Reynders
  • August 5, 2020: Former Federal Trade Commission (FTC) Chairman Joseph Simons noted with reference to the July 16, 2020 decision by the CJEU that “We stand ready to support the administration’s efforts in this area, but at the same time we will continue to hold companies accountable for their privacy commitments, including promises made under the Privacy Shield.”
  • July 16, 2020Former U.S. Secretary of Commerce Wilbur Ross Statement on Schrems II Ruling and the Importance of EU-U.S. Data Flows
  • July 16, 2020: The Court of Justice of the European Union (CJEU) issued a judgment declaring as “invalid” the European Commission’s Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-U.S. Privacy Shield. As a result of that decision, the EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. That decision does not relieve participants in the EU-U.S. Privacy Shield of their obligations under the EU-U.S. Privacy Shield Framework. As we work to resolve the situation, the U.S. Department of Commerce will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List. If you have questions, please contact the European Commission, the appropriate European national data protection authority or legal counsel.