The EU-US Privacy Shield (also EU-US Privacy Shield) is an informal arrangement in the field of data protection law negotiated between the European Union and the United States of America in 2015-2016. It consists of a series of assurances from the U.S. federal government and a decision by the EU Commission. The Commission had decided on July 12, 2016 that the requirements of the Privacy Shield correspond to the level of data protection in the European Union, since then the Convention can be applied.
The agreement regulates the protection of personal data transferred from a member state of the European Union to the USA. It had become necessary after the European Court of Justice declared the European Commission’s Safe Harbor decision, which had been applied until then, invalid in October 2015.
Due to the GDPR, the transfer of data to international organizations or third countries is only possible under compliance with conditions.(GDPR Article 44-50).
In order to be able to transmit data, the recipient must
- be in the EU or the EEA,
- are located in a country for which an EU decision certifies an equivalent level of data protection,
- use binding internal data protection rules in accordance with Article 47,
- use standard data protection clauses approved by the EU(Article 93(2)),
- use EU-approved codes of conduct in accordance with Article 40 and appropriate safeguards; and
- have submitted to an EU-approved certification mechanism in accordance with Article 42.
As of November 2018, the standard data protection clauses, certifications and codes of conduct are still not available.
As a rule, for the USA, transfers are only possible to companies that have submitted to the EU-US Privacy Shield.
You can check which companies have submitted to the Privacy Shield on the Privacy Shield website. The Privacy Shield distinguishes between HR (personnel data) and non-HR data. Dropbox, for example, only allows non-HR data.
Microsoft, Amazon and Dropbox are in the Privacy Shield and therefore data transfers are possible. Apple is not in the Privacy Shield and therefore the Apple Cloud may not be used in companies. Facebook is also in the Privacy Shield. However, the use of WhatsApp in companies is still problematic.
For Switzerland, there is a US-Swiss Privacy Shield that works like the EU Shield. The information is on the same website.