The EU-US Privacy Shield is an informal agreement in the data protection field that has been negotiated from 2015 until 2016 between the European Union and the United Nations of America. It consists of a number of confirmations of the US-American Federal Government and a resolution from the European Commission. The Commission has decided on July 12th, 2016 that the standards of the Privacy Shield correspond to data protection level of the European Union, since then the agreement can be deployed.
The agreement manages the protection of personal data that is being transferred from a member state of the European Union to the USA. The agreement has become necessary after the European Court has abrogated the until then deployed International Safe Harbor Privacy Principles of the European Commission in October 2015.
As a result of the GDPR, transferring data to international organisations or third countries is only possible by complying to restrictions. (DSGVO Articles 44-50).
In order to be able to transfer data, the recipient has to fulfil the following points:
- He has to be located in the EU or EEA,
- He has to be located in a country for that an European Union Decision certifies an equivalent data protection level,
- He has to use binding corporate rules according to article 47,
- He has to use standard data protection terms approved by the EU (Article 93 paragraph 2,
- He has to use codes of conduct approved by the EU according to article 40 and suitable warranties and
- He has to have submitted to a certification mechanisms approved by the EU according to article 42.
In November 2018 we still don’t have these standard data protection terms, certifications and codes of conduct.
Generally, it is only possible for the USA to transfer data to organisations that have submitted to the EU-US Privacy Shield.
You can check which organisations have submitted to the Privacy Shield on the Privacy Shield Website. The Privacy Shield differences between HR data (personnel data) and non-HR data. Dropbox for example, only allows non-HR data.
Microsoft, Amazon and Dropbox are certified under the Privacy Shield and therefore data transfer is possible. Apple is not certified under the Privacy Shield and therefore the Apple Cloud is not allowed to be used in organisations. Facebook is also certified under the Privacy Shield. However, the usage of WhatsApp in an organisation is still problematic.
For Switzerland there is an US-Swiss Privacy Shield that works just like the EU-US Shield. The information about the US-Swiss Privacy Shield is on the same website as the EU-US Shield.