We're sorry but your browser is not supported by Marsh.com

For the best experience, please upgrade to a supported browser:


Risk in Context

Privacy Shield Adoption Brings Further Clarity to EU-US Data Protection

Posted by Jeffrey Batt July 12, 2016

The US government and the European Commission recently signed the Privacy Shield agreement, giving US companies clearer direction for handling and sharing data. However, potential roadblocks remain as the agreement may face legal challenges.

Privacy Shield addresses the problem created by an October 2015 judgment in which the European Court of Justice (ECJ) negated the EU-US Safe Harbor agreement for data transfer, largely due to concerns about the sharing of data between the private sector and the US government. The ECJ decision terminated an arrangement that had been in place since 2000, leaving some 4,500 US companies without a viable legal mechanism for transferring personal data from the EU to the US.

Compared to Safe Harbor, Privacy Shield places tighter data-use constraints on US companies and authorities and offers individuals far stronger redress mechanisms to enforce their rights. 

Highlights of the new agreement include:

  • Limits on mass surveillance: Safeguards and oversight aim to limit mass surveillance and wall off some US intelligence community data access. This component stems in large part from European unease related to the 2013 Edward Snowden disclosures. It remains an area of concern for some privacy advocates and is seen as a likely area of legal challenge.
  • Transparency: US companies must provide greater transparency and are subject to more stringent monitoring. Sanctions can be imposed for noncompliance.
  • Third-party data: Privacy Shield calls for mandatory third-party compliance. So if Company A processes data from companies that abide by the Privacy Shield framework, Company A will have to also adhere to the same requirements.
  • Review: Privacy Shield will be subject to an annual joint review between the EU and US government.

Next Steps

With Privacy Shield now in place, companies need to determine (1) whether they are eligible to take part in the framework and (2) if they are, whether to sign up, as doing so will trigger an internal compliance assessment. As such, some companies may hold off until Privacy Shield has survived the expected legal challenges. However, most eligible companies are likely to take part because of the certainty that Privacy Shield provides, at least in the short term.

After all, despite being both complex and costly from a compliance standpoint, Privacy Shield is still less of an administrative burden than the model clauses that have been used since Safe Harbor’s demise. Also, in the wake of Brexit and continued uncertainty in European and emerging markets, Privacy Shield’s rules-based assurances on data use and transfers are attractive from a business risk and planning perspective.

Related to:  Cyber Risk , Cyber Risk

Jeffrey Batt

Vice President, Cyber Practice