link to page 1 
August 6, 2020
U.S.-EU Privacy Shield
Data Transfers and Surveillance Issues
areas could help shape the future landscape for U.S.-EU
For decades, data privacy and protection issues have been
data transfers.
sticking points in U.S. relations with the European Union
(EU), in part because of different data privacy approaches
Transatlantic Data Flows
and legal regimes. To bridge differences and enable data
According to recent studies, the United States and Europe
transfers, the United States and the EU have concluded
are each other’s most important commercial partners for
data-sharing accords in both the commercial and law
digitally enabled services. U.S.-EU trade of information and
enforcement sectors. However, unauthorized disclosures in
communications technology (ICT) services and potentially
2013 of U.S. surveillance programs and the alleged
ICT-enabled services was over $345 billion in 2018 (see
involvement of some U.S. telecommunications and internet
Figure 1). Transatlantic data flows account for more than
companies heightened EU concerns about U.S. government
half of Europe’s data flows and about half of U.S. data
access to EU citizens’ personal data, with ramifications for
flows globally. Such data flows enable people to transmit
U.S.-EU data transfer arrangements. Resulting trade
information for online communication, track global supply
tensions have impacted U.S. and EU businesses, elevating
chains, share research, provide cross-border services, and
congressional concerns that the EU approach to data
support technological innovation, among other activities.
protection creates unfair trade barriers and limits U.S.
Organizations may use customer or employee personal data
firms’ access to the EU market.
to facilitate business transactions, analyze marketing
information, detect disease patterns from medical histories,
EU Court Invalidates Privacy Shield
discover fraudulent payments, improve proprietary
The Court of Justice of the European Union (CJEU, also
algorithms, or develop competitive innovations.
known as the European Court of Justice, or ECJ) has
invalidated two U.S.-EU commercial data transfer accords,
Figure 1. U.S.-EU Trade of ICT and Potentially ICT-
most recently the Privacy Shield Framework on July 16,
Enabled (PICTE) Services, 2018
2020. In force since 2016, Privacy Shield provided over
5,000 companies a mechanism to transfer EU citizens’
personal data to the United States while complying with EU
data protection rules. Privacy Shield sought to address
concerns raised in a 2015 CJEU decision that struck down a
similar U.S.-EU data transfer accord, the Safe Harbor
Agreement of 2000. However, the CJEU found that Privacy
Shield failed to meet EU data protection standards given the
breadth of U.S. data collection powers authorized in U.S.
electronic surveillance laws and the lack of redress options
Source: CRS with data from the Bureau of Economic Analysis.
for EU citizens. The CJEU’s concerns about U.S.
Note: Includes United Kingdom (UK).
surveillance laws also may pose challenges for some firms
using another EU mechanism—standard contractual clauses
As of July 2020, Privacy Shield had 5,380 participants,
including U.S. businesses and other organizations, U.S.
(SCCs)—to transfer personal data to the United States.
subsidiaries in Europe, and 250 entities headquartered in
U.S. and Congressional Interests
Europe. The CJEU judgment could raise operating costs,
The CJEU Privacy Shield ruling raises several issues for the
especially for SMEs, given the limited alternatives for data
United States and Congress, including how to ensure
transfers (see below). Although SCCs remain valid, the
continued data flows for U.S. companies and organizations
CJEU ruling increases due diligence requirements for data
that depend on Privacy Shield. Transatlantic data flows are
exporters using SCCs to ensure that personal data
of critical importance for the $5.5 trillion U.S.-European
transferred receives a level of protection equivalent to that
economic relationship. The CJEU ruling creates legal
under EU law. Given the CJEU finding that U.S.
uncertainty for many firms engaged in transatlantic trade,
surveillance authorities render U.S. data protections
both those that relied on Privacy Shield (over 65% of which
inadequate, experts suggest that SCCs may not be usable in
are small and mid-sized firms, SMEs) and those using
practice for social media and ICT companies subject to U.S.
SCCs, including many large multinational companies.
electronic surveillance laws. Separate from Privacy Shield
and SCCs, specific derogations identified under EU law
Congress also has a role in U.S. surveillance legislation and
allow for the transfer of personal data outside of the EU
oversight, and some Members are debating the need for a
(such as when needed to perform a contract or if there is
U.S. federal data privacy and protection policy. In addition,
explicit consent) and are not affected by the CJEU ruling.
ongoing U.S.-EU and other trade negotiations may address
digital trade and data flows. Congressional action in these
https://crsreports.congress.gov
U.S.-EU Privacy Shield
Privacy Shield Framework
ensure durable, protected transatlantic data flows. Apart
The Privacy Shield Framework requires adherence to seven
from Privacy Shield, U.S. firms have limited options for
distinct privacy principles: notice, choice, accountability for
cross-border data flows with the EU. They include:
onward data transfer, security, data integrity and purpose
Create Binding Corporate Rules (BCRs) that EU
limitation, access, and recourse, enforcement, and liability.
officials must approve on a firm-by-firm basis;
The Framework also sets out 16 mandatory supplemental
principles that include provisions on sensitive data,
Implement EU-approved SCCs updated to align with the
secondary liability, the role of data protection authorities
GDPR and reassessed for adequate safeguards in
(DPAs), human resources data, pharmaceutical and medical
accordance with the CJEU ruling;
products, and publicly available data. In contrast to the
Use commercial cloud services provided by large
former Safe Harbor accord, the Privacy Shield agreement
technology firms that use approved BCRs or SCCs (e.g.,
contains written assurances from U.S. officials, including in
Microsoft, IBM);
the intelligence community, that U.S. access to EU citizens’
Store EU citizens’ personal data only in the EU, an idea
personal data will be subject to clear limitations,
advocated by some European DPAs and other
safeguards, and oversight mechanisms. Privacy Shield was
stakeholders;
crafted in anticipation of the EU’s General Data Protection
Regulation (GDPR), which came into effect in May 2018,
Obtain consent from individuals for every single transfer
and created new individual rights and requirements for data
of personal data, a likely logistically challenging and
protection throughout the EU.
costly option for many entities;
Exit or limit participation in the EU market.
Joining Privacy Shield and Program Enforcement
To voluntarily join the Privacy Shield program, a U.S.-
Other alternatives for firms include establishing codes of
based organization must self-certify annually to the U.S.
conduct or certifications that meet GDPR requirements for
Department of Commerce (Commerce), publicly
which individual organizations could apply. These
committing to comply with the Framework’s principles and
programs could be U.S.-EU specific or at a broader,
requirements that are enforceable under U.S. law. The
international level.
program is administered by Commerce and the European
Options for Congress
Commission (the EU’s executive). Commerce monitors
firms’ effective compliance and investigates complaints.
Many Members of Congress have supported the Privacy
Despite the CJEU decision, Commerce stated it will
Shield framework as vital to U.S.-EU trade and investment
continue to administer the Privacy Shield Framework and
ties. Congress may be concerned by the impact of the CJEU
that the ruling “does not relieve participating organizations
decision on SMEs, in particular, and on U.S. trade more
of their Privacy Shield obligations.”
broadly. Possible options for Congress include:
Holding hearings with the U.S. agencies charged with
The U.S. Federal Trade Commission (FTC) and the U.S.
administering and enforcing Privacy Shield to identify
Department of Transportation enforce compliance. In June
issues and provide direction for negotiating any new
2020, FTC reported enforcement actions against dozens of
agreement or other alternative data transfer mechanisms.
companies that made false or deceptive representations
about Privacy Shield participation. The FTC’s $5 billion
Exploring changes when authorizing and overseeing
penalty against Facebook included holding executives
surveillance programs to better protect data privacy or
accountable for privacy-related decisions and prohibiting
otherwise address EU concerns.
misrepresentations related to Privacy Shield. A separate
Considering comprehensive national privacy legislation
Privacy Shield Ombudsperson at the U.S. Department of
that includes data protection provisions that may align to
State handles complaints regarding U.S. national security
some extent with GDPR requirements, potentially
access to personal data. The CJEU’s ruling, however,
eliminating the need for a U.S.-EU-specific data flow
questioned the ombudsperson’s independence and ability to
agreement in the longer-term.
provide “effective judicial protection” for EU citizens.
Evaluating the trade-related aspects of data flows in
trade agreements, including through oversight of
In September 2019, EU and U.S. officials held their third
ongoing U.S. trade negotiations with the EU and,
annual review of the administration and enforcement of
separately, with the United Kingdom (UK) as the UK
Privacy Shield. The EU cited progress in U.S. oversight and
seeks to align its data protection laws with the GDPR.
enforcement actions, but noted concern about a “lack of
oversight in substance” and the need for more checks for
Examining how best to achieve broader consensus on
onward transfers, issues similar to those cited by the CJEU.
data flows and privacy at the global level and U.S.
engagement in ongoing international data initiatives.
Future Prospects
Also see, CRS In Focus IF10896, EU Data Protection
Following the invalidation of the Safe Harbor accord in
Rules and U.S. Implications, by Rachel F. Fefer and Kristin
2015, U.S. and EU officials agreed to an enforcement
Archick; and CRS Report R45584, Data Flows, Online
moratorium while they negotiated Privacy Shield. No
Privacy, and Trade Policy, by Rachel F. Fefer.
similar moratorium has been announced to protect Privacy
Shield participants, although U.S. and EU officials have
Rachel F. Fefer, Analyst in International Trade and
begun discussions on next steps to update or replace
Finance
Privacy Shield in light of the CJEU decision. U.S. and EU
Kristin Archick, Specialist in European Affairs
industry groups have jointly called for a swift negotiation to
https://crsreports.congress.gov
U.S.-EU Privacy Shield
IF11613
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.
https://crsreports.congress.gov | IF11613 · VERSION 1 · NEW