EU-US Privacy Shield

EU-US Privacy Shield Framework


Companies established or using equipment in the European Economic Area (EEA)—the 28 EU member states plus Iceland, Liechtenstein and Norway—are prohibited from sharing personal data with affiliates, vendors, customers and anyone else outside the EEA, unless an adequate level of data protection in the recipient jurisdiction is assured or an exception or derogation applies. This prohibition stems from the EU Data Protection Directive of 1995 (95/46/EC) (EU Data Protection Directive) and a comparable requirement will continue to apply when the new General Data Protection Regulation (GDPR) becomes effective on May 25, 2018 (see Art. 25 of the EU Data Protection Directive and Art. 44 of the GDPR).


Pragmatically, companies cannot conduct any business without sharing at least some contact information and many transactions require more intensive information sharing. Therefore, companies in the EEA need to ensure adequate data protection safeguards to do business or otherwise transmit data outside the EEA.


Control Parameters for EU-US Privacy Shield


The control requirements of the EU-US Privacy Shield offer several important benefits to U.S.-based organizations. These benefits include the following:

  • All Member States of the European Union are bound by the European Commission’s finding of “adequacy”;

  • Participating organizations are deemed to provide “adequate” privacy protection, a requirement (subject to limited derogations) for the transfer of personal data outside of the European Union under the EU Data Protection Directive;

  • EU Member State requirements for prior approval of data transfers either are waived or approval will be automatically granted; and

  • Compliance requirements are clearly defined and cost-effective, which should particularly benefit small and medium-sized enterprises.


Benefits of the EU-US Privacy Shield


There are many benefits associated with the EU-US Privacy Shield Framework, even if a company currently uses model contract clauses (MCCs) for current compliance and future compliance with GDPR. Its quick to do, inexpensive to establish, and underscores the following benefits:

  • The speed to implement is usually streamlined; unlike transfers based on MCCs, transfers based on the EU-US Privacy Shield do not require prior authorization from or notification to 65% of EU data protection authorities which can delay initiatives.

  • There is less paperwork; transfers with the EU-US Privacy Shield do not require updates and new signatures on contractual clauses each time a business process or data flow changes.

  • The EU-US Privacy Shield drives corporate sponsorship of privacy programmes by requiring corporate officers to annually sign an attestation of compliance, subject to criminal enforcement.

  • The Privacy Shield drives sustainability with its annual compliance verification, fostering compliance from the top down by executive sponsorship, often moreso than the MCC equivalent.

  • With the risk of MCC invalidation, the Privacy Shield mitigates the risk of data transfers being invalidated overnight as was done with the EU-US Safe Harbour Act.

  • The principles necessary to comply with the EU-US Privacy Shield are similar to many of the data protection safeguards necessary for GDPR compliance, making it an excellent starting point for the additional obligations coming for GDPR such as program governance, broader individual rights, privacy by design and default, and breach notification.


When applicable, ALLENDEVAUX can ensure that the requirements of the EU-US Privacy Shield are included in an Information Security Management System (ISMS) for technical, administrative, and physical security best practices in frameworks such as ISO/IEC 27001:2013.


How We Can Help


ALLENDEVAUX will assist with the certification process in compliance with the EU-US Privacy Shield. The following points highlight the activities ALLENDEVAUX will superintend.

  • Populate self-certification on the application form, such as the organization name in the US and its address.

  • Complete the forms with a proper organizational contact, including the contact office, the contact name and title, email address, US telephone number, etc.

  • Specify the organizational corporate officer who is a US national or citizen (name, title, email, telephone, etc.).

  • Provide a description of the organization’s activities with respect to all personal data received from the EU in reliance on the EU-US Privacy Shield.

  • List the names of the legal entities in relation to the EU and the US that are also adhering to the EU-US Privacy Shield and are covered under the organization’s self-certification; this includes all covered entities and subsidiaries regardless of global location.

  • Provide the type of personal data that the EU-US Privacy Shield commitment covers. Note that for purposes of this self-certification form, the term “human resources data” refers to personal data about employees, past or present, collected in the context of the employment relationship. Examples of other types of personal data that could be covered include the following: customer, client, visitor, clinical trial data, etc. ALLENDEVAUX will help define on the Privacy Shield application the purposes for which an enterprise processes personal data in reliance on the Privacy Shield, including the types of personal data processed by an organization and, if applicable, the type of third parties to which it discloses such personal information.

  • ALLENDEVAUX will recommend the resource mechanism available to investigate unresolved complaints.

  • ALLENDEVAUX will work with an enterprise to review and modify if necessary the privacy policy applicable to personal data which will be submitted to the US Department of Commerce for review. The effective date of this policy should be provided to the US Department of Commerce.

  • ALLENDEVAUX will prepare the filing for review of relevant public web sites where the privacy policy is available, and make any recommendations if needed for the modification of the website privacy policies.

  • ALLENDEVAUX will prepare the filing that specifies which appropriate statutory body has jurisdiction to investigate claims against the organization regarding possible unfair or deceptive practices and violations of laws or regulations covering privacy. To be transferred in reliance on the Privacy Shield, personal data must be processed in connection with an activity that is subject to the jurisdiction of at least one appropriate statutory body such as the Federal Trade Commission or the Department of Transportation.

  • ALLENDEVAUX will prepare the response regarding its verification method: self-assessment or outside compliance review.

  • ALLENDEVAUX will consult with the enterprise to specify the organization’s annual revenue which is used to determine the fee needing paid for certification to the Privacy Shield Framework; the fee will not be viewable by the public.

  • ALLENDEVAUX will consult with the enterprise to specify the industry sector application to the organization, and to specify the number of employees.



Get Connected

US East: +1 513 401 7107

US West: +1 213 279 1055

​UK: +44 2038 802 321

CH: +41 44 585 91 15

35 Rockridge, Englewood OH 45322

  • Grey LinkedIn Icon
  • Grey Facebook Icon

Copyright (c) 2019 by Allendevaux & Company LLC.  

All rights reserved.