EU-US Privacy Shield; Safe Harbor; & GDPR

Enrico Schaefer - June 2, 2020 - GDPR Data Privacy, Internet Law, Privacy


In 1998, the European Commission’s Directive on Data Protection began prohibiting the transfer of personal data from European Union countries to other countries that are not labeled as adequate under the EU standard for privacy protection. As this requirement could cause significant hurdles to international transactions between the US and the EU, including the creation and approval of US governmental data protection agencies, the US wanted a more efficient route for adequacy.

The US-EU Safe Harbor Came First

In 2000, the EU approved the EU-US Safe Harbor Framework, which allowed organizations to self-certify in order to quickly meet the data protection adequacy requirement of the EU and allow easier access to international trade. In 2015, the European Court of Justice deemed the US-EU Safe Harbor Framework invalid for determining the adequacy of data protection. In its place, the US Department of Commerce worked with the European Commission to create the EU-US Privacy Shield Framework, which the European Commission deemed sufficient to determine adequate data protection in 2016.

US-EU Privacy Shield Replaced the Safe Harbor

The Privacy Shield Framework has replaced the Safe Harbor Framework, and serves the same purpose of allowing for self-certification of adequacy, along with additional benefits. Also, in 2016, the General Data Protection Regulation (GDPR) went into effect, replacing the European Union’s Directive on Data Protection. The GDPR maintains the Data Protection Directive’s requirement of an showing of adequate privacy protections for transferring personal data out of the EU in Chapter V, but also allows alternative privacy safeguards like Privacy Shield Certification in place of a showing of adequacy.

Privacy Shield Certification

The Privacy Shield Framework allows organizations to self-certify and join the privacy shield by submitting a signed document outlining the organization’s business with the EU and its personal data privacy policy, and upon approval, the organization is certified and can immediately enjoy the Privacy Shield’s benefits. Organizations must certify annually to continue participation in Privacy Shield.

Benefits of Privacy Shield and its Relationship with GDPR

First and foremost, certification with the Privacy Shield avoids issue with the GDPR when transferring personal data for the organization from the EU to the US. The Privacy Shield framework was created to address all of the substantive and procedural requirements of the GDPR, and was approved for this purpose, so participating organizations will pass the adequacy requirement of the EU included in the GDPR. Due to the current invalidity of the Safe Harbor Framework, organizations previously certified under Safe Harbor need to now self-certify under the Privacy Shield to use this benefit. While Privacy Shield Certification does not equal compliance with the GDPR, it is an accepted alternative that allows an organization to pass the adequacy standard of data protection.

The Privacy Shield also gives participants easy approval of EU data transfers, either waiving approval requirements altogether or granting automatic approval. The Privacy Shield was also built to allow easy and inexpensive compliance, made to help smaller-sized businesses find a way to participate in international transactions without needing to spend large amounts of resources otherwise seeking compliance with the GDPR. Using the Privacy Shield Framework is a quick and easy way to obtain a certification valid with the GDPR and begin making business transactions with personal data in the EU.

If you have questions about the Privacy Shield or GDPR and your company’s compliance therewith, Traverse Legal’s attorneys are here to help.

This blog post contributed, in part, by Traverse Legal’s Virtual Law Clerk Scott Pehoushek.

GET IN Touch

We’re here to field your questions and concerns. If you are a company able to pay a reasonable legal fee each month, please contact us today.


This page has been written, edited, and reviewed by a team of legal writers following our comprehensive editorial guidelines. This page was approved by attorney Enrico Schaefer, who has more than 20 years of legal experience as a practicing Business, IP, and Technology Law litigation attorney.