link to page 1 
Updated June 28, 2021
U.S.-EU Privacy Shield
Data Transfers and Surveillance Issues
Congress has a role in U.S. surveillance legislation and
For decades, data privacy and protection issues have been
oversight, and some Members are debating the need for a
sticking points in U.S.-European Union (EU) relations. The
U.S. federal data privacy policy. In addition, ongoing
EU considers the privacy of communications and the
international trade negotiations may address digital trade
protection of personal data to be fundamental rights,
and data flows. Congressional action in these areas could
codified in EU law, while U.S. policy protects certain data
help shape the future landscape for U.S.-EU data transfers.
on a sectoral basis. To address EU concerns that the United
Transatlantic Data Flows
States does not sufficiently protect personal data, the United
According to the U.S. Bureau of Economic Analysis, the
States and the EU have concluded data transfer agreements
United States and Europe are each other’s most important
in both the commercial and law enforcement sectors.
commercial partners for digitally enabled services. U.S.-EU
However, unauthorized disclosures in the media in 2013 of
trade of information and communications technology (ICT)
U.S. surveillance programs and the alleged involvement of
services and potentially ICT-enabled services was over
some U.S. telecommunications and internet companies
$345 billion in 2018 (see Figure 1). Transatlantic data
heightened EU concerns about U.S. government access to
EU citizens’
flows account for more than half of Europe’s data flows and
personal data. Resulting tensions have
about half of U.S. data flows globally. Such data flows
impacted confidence in U.S.-EU data transfer accords,
enable people to transmit information for online
threatening bilateral trade for U.S. and EU businesses, and
communication, track global supply chains, share research,
elevated congressional concerns that the EU approach to
provide cross-border services, and support technological
data protection creates unfair trade barriers and limits U.S.
firms’ access to the EU
innovation, among other activities. Organizations may use
market.
customer or employee personal data to facilitate business
EU Court Invalidates Privacy Shield
transactions, analyze marketing information, discover
The Court of Justice of the European Union (CJEU, also
fraudulent payments, improve proprietary algorithms, or
known as the European Court of Justice, or ECJ) has
develop competitive innovations.
invalidated two U.S.-EU commercial data transfer accords,
most recently the Privacy Shield Framework in July 2020.
Figure 1. U.S.-EU Trade of ICT and Potentially ICT-
In force since 2016, Privacy Shield provided a mechanism
Enabled (PICTE) Services, 2018
to transfer EU citizens’ personal data to the United States
while complying with EU data protection rules. Privacy
Shield sought to address concerns raised in a 2015 CJEU
decision that struck down a similar U.S.-EU data transfer
accord, the Safe Harbor Agreement of 2000. Privacy Shield
also was crafted in anticipation of the EU’s General Data
Protection Regulation (GDPR), which came into effect in
May 2018, and created new individual rights and
requirements for data protection throughout the EU.
Source: CRS with data from the Bureau of Economic Analysis.
However, the CJEU found that Privacy Shield failed to
Note: Includes United Kingdom (UK).
meet EU data protection standards given the breadth of U.S.
data collection powers authorized in U.S. electronic
As of July 2020, Privacy Shield had 5,380 participants,
surveillance laws and the lack of redress options for EU
including U.S. businesses and other organizations, U.S.
citizens. The CJEU ruling also increased due diligence
subsidiaries in Europe, and 250 entities headquartered in
requirements for data exporters using another EU
Europe. The CJEU judgment could raise operating costs,
mechanism—standard contractual clauses (SCCs)—to
especially for SMEs, given the limited alternatives for data
transfer personal data to the United States.
transfers (see below). The number of Privacy Shield
U.S. and Congressional Interests
participants began to fall after the CJEU ruling.
The CJEU Privacy Shield ruling raises several issues for the
Following the CJEU ruling, the European Data Protection
United States, including how to ensure continued data flows
Board (EDPB) issued guidance providing examples of
for U.S. companies and organizations that depend on
supplementary measures that data exporters using SCCs
Privacy Shield. Data flows underlie much of the $6.2
might take, and the EU updated the SCCs to ensure that
trillion U.S.-European economic relationship. The CJEU
personal data transferred receives a level of protection
ruling creates legal uncertainty for many firms engaged in
equivalent to that under EU law. Given the CJEU finding
transatlantic trade, both those that relied on Privacy Shield
that U.S. surveillance authorities render U.S. data
(over 75% of which are small and mid-sized firms, SMEs)
protections inadequate, experts suggest that SCCs may not
and those using SCCs, including many large multinational
be usable in practice for social media and ICT companies
companies.
subject to U.S. electronic surveillance laws. Industry groups
https://crsreports.congress.gov
U.S.-EU Privacy Shield
and the U.S. Department of Commerce (Commerce) also
misuse of their data. Some in the EU question whether such
released recommendations and information for entities
measures would satisfy the EDPB or, ultimately, the CJEU,
implementing Privacy Shield and SCCs. In addition,
and contend that legally-binding mechanisms may be
specific derogations identified under EU law allow for the
necessary to address EU concerns. In the June 2021 U.S.-
transfer of personal data outside of the EU (such as when
EU summit statement, President Biden and EU leaders
needed to perform a contract or if there is explicit consent)
committed to “work together to strengthen legal certainty in
and are not affected by the CJEU ruling.
transatlantic flows of personal data.” U.S.-EU negotiations
Privacy Shield Framework
on an enhanced Privacy Shield are continuing.
The Privacy Shield Framework requires adherence to seven
Apart from Privacy Shield, U.S. firms have limited options
distinct privacy principles: notice, choice, accountability for
for cross-border data flows with the EU. They include:
onward data transfer, security, data integrity and purpose
Create Binding Corporate Rules (BCRs) that EU
limitation, access, and recourse, enforcement, and liability.
officials must approve on a firm-by-firm basis;
The Framework also sets out 16 mandatory supplemental
Implement updated EU-approved SCCs and reassess for
principles that include provisions on sensitive data,
adequate safeguards according to the CJEU ruling;
secondary liability, the role of data protection authorities
(DPAs), human resources data, pharmaceutical and medical
Use commercial cloud services provided by large
products, and publicly available data. To address EU
technology firms that use approved BCRs or updated
concerns about U.S. surveillance practices, the Privacy
SCCs (e.g., Microsoft, IBM);
Shield agreement contains written assurances from U.S.
Store EU citizens’ personal data only in the EU or other
officials, including in the intelligence community, asserting
approved country, an idea advocated by some European
that U.S. access to EU citizens’ personal data will be
DPAs and other stakeholders;
subject to clear limitations, safeguards, and oversight
Obtain consent from individuals for every single transfer
mechanisms. Nevertheless, the CJEU found these
of personal data, a likely logistically challenging and
guarantees insufficient.
costly option for many entities;
Joining Privacy Shield and Program Enforcement
Exit or limit participation in the EU market.
To voluntarily join the Privacy Shield program, a U.S.-
Other alternatives would be for the EU to establish codes of
based organization must self-certify annually to Commerce,
conduct or certifications that meet GDPR requirements
publicly committing to comply with the Framework’s
which organizations could apply. These programs could be
principles and requirements that are enforceable under U.S.
U.S.-EU specific or at a broader, global level.
law. The program is administered by Commerce and the
European Commission (the EU’s executive). Commerce
Options for Congress
monitors firms’ effective compliance and investigates
Many Members of Congress have supported the Privacy
complaints. Despite the CJEU decision, Commerce stated it
Shield framework as vital to U.S.-EU trade and investment
will continue to administer the Privacy Shield Framework
ties. Some policymakers may be concerned by the impact of
and that the ruling “does not relieve participating
the CJEU decision on SMEs, in particular, and on U.S.
organizations of their Privacy Shield obligations.”
trade more broadly. Possible options for Congress include:
The U.S. Federal Trade Commission (FTC) and the U.S.
Exploring changes when authorizing and overseeing
Department of Transportation enforce compliance. In June
surveillance programs to better protect data privacy or
2020, FTC reported enforcement actions against dozens of
otherwise address EU concerns;
companies that made false or deceptive representations
about Privacy Shield participation. The FTC’s $5 billion
Considering comprehensive national privacy legislation
penalty against Facebook included holding executives
that includes data protection provisions that may align to
accountable for privacy-related decisions and prohibiting
some extent with GDPR requirements, to provide some
misrepresentations related to Privacy Shield. A separate
level of certainty to EU businesses and individuals;
Privacy Shield Ombudsperson at the U.S. Department of
Examining how best to achieve broader consensus on
State handles complaints regarding U.S. national security
data flows and privacy at the global level and hold
access to personal data. The CJEU’s ruling, however,
hearings on U.S. engagement in ongoing bilateral and
questioned the ombudsperson’s independence and ability to
multilateral digital trade negotiations.
provide “effective judicial protection” for EU citizens.
Also see CRS In Focus IF10896, EU Data Protection Rules
Future Prospects
and U.S. Implications, by Rachel F. Fefer and Kristin
The Trump Administration began negotiations with the EU
Archick; CRS Report R46724, EU Data Transfer
on next steps to update or replace Privacy Shield. The
Requirements and U.S. Intelligence Laws: Understanding
Biden Administration has stated it intends to conclude an
Schrems II and Its Impact on the EU-U.S. Privacy Shield,
enhanced successor accord, both to help bolster U.S.-EU
by Chris D. Linebaugh and Edward C. Liu, and CRS Report
relations and address U.S. business demands for durable,
R45584, Data Flows, Online Privacy, and Trade Policy, by
protected transatlantic data flows. U.S. negotiators are
Rachel F. Fefer.
reportedly seeking to provide greater assurances to the EU
Rachel F. Fefer, Analyst in International Trade and
through executive orders and administrative action that
Finance
would protect EU citizens’ personal data and clarify how
Europeans can pursue redress in U.S. courts for any alleged
Kristin Archick, Specialist in European Affairs
https://crsreports.congress.gov
U.S.-EU Privacy Shield
IF11613
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.
https://crsreports.congress.gov | IF11613 · VERSION 3 · UPDATED