What is the EU-US Privacy Shield 2.0? Is it relevant for USA companies?

The EU-US Privacy Shield 2.0: Understand why the Data Protection Framework is relevant for US companies and how the US Safe Harbor Program set the pace for transatlantic data exchange. 

Is EU-US Privacy Shield 2.0 relevant for US companies?  In summary, until the Privacy Shield and GDPR are fully confirmed and enacted, transferring data across the Atlantic is still a challenging and complex legal procedure.  Our advice is focus focus focus... use the beginning of 2018 for GDPR compliance and leverage certified anonymization and pseudonymization technologies like TDA to expedite your compliance.  If you don't know how to get started with GDPR compliance, first sign up for our one-day GDPR workshop and we will provide you with a GDPR "To-Do" list customized for you.   Secondly, follow our LinkedIn Page for up-to-date news on when to apply for the Privacy Shield in 2018.

What is the EU-US Privacy Shield?

The EU-US and Swiss-US Privacy Shield Framework were designed by the US Department of Commerce and the European Commission and Swiss Administration. The frameworks provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.  This new Data Privacy Framework replaces the EU Safe Harbor program (see history below).

  • On September 21, 2017, a joint press statement was issued by US Secretary of Commerce Ross and Commissioner Jourova on the EU-US Privacy Shield following their first annual review.  In October, a report was published that reflects the Commission’s review findings on the implementation and enforcement of the EU-US Data Privacy Framework in its first year of operation.  On the whole, the report shows that the Privacy Shield continues to ensure an adequate level of data protection. However, there is room for improvement.  On this basis, the Commission has drawn up a list of recommendations on the functioning of the Shield that need to be improved by the US authorities. Based on this information, our recommendation is to wait until this list is completed. Follow our LinkedIn page for news on when to invest your time on the Privacy Shield self-certification.


In 2000, the European Commission issued a uniquely limited adequacy finding that stated US companies would be deemed to assure adequate data protection if they joined a “US Safe Harbor” program that the US Commerce Department had agreed with the European Commission to enable US companies to satisfy EU adequacy requirements. Interestingly, fifteen years and approximately 4,500 company registrations later, the Court of Justice of the European Union (CJEU) invalidated the Commission's adequacy decision from 2000 on October 6, 2015 due primarily to concerns that the US Safe Harbor itself did not embed protections against US law and policy on government surveillance.  The commission discontinued accepting annual re-certifications for existing US Safe Harbor companies at the end of October 2016.

Register for a one-day workshop to create your GRDP road map here.