International Data Transfer and Privacy Shield

After Safe Harbor, the international data transfer law used by the United States and the European Union was invalidated and the Department of Commerce and the EU Commission worked to draft a new agreement to give additional rights to EU citizens with respect to their personal information when transferred to the United States.  On July 12, 2016, the United States and the European Union agreed to a new framework for the exchange of personal data for commercial purposes called the “Privacy Shield,” which was created to replace Safe Harbor.

Upon first glance, Privacy Shield seems to resemble Safe Harbor; however, upon closer inspection, it is clear that Privacy Shield has implemented new standards of data protection, including adding stricter requirements and additional limitations on access to personal data. Similar to Safe Harbor, organizations certifying their compliance with Privacy Shield must meet the following criteria: (i) the participating companies must fall under the enforcement of the FTC or another US agency that is able to ensure compliance, (ii) publicize that it will only process data in accordance with the Privacy Shield Principles by self-certifying, (iii) make its privacy policy public, and (iv) actually implement the new Privacy Shield Principles.

For compliance purposes, those participating and self-certifying with Privacy Shield must comply with seven principles set forth in the adequacy decision (the “Privacy Shield Principles”) including Notice, Choice, Security, Data Integrity and Purpose Limitation, Access, Accountability for Onward Transfers and Recourse, Enforcement, and Liability. The Privacy Shield Principles mirror those in the Safe Harbor framework, but each is expanded to offer greater protection for individuals.

Due to the heightened obligations, those participating companies that intend to certify and accept data from individuals in the EU should update their policies to reflect the changes in the Privacy Shield Principles as well as review their current contractor, supplier and/or vendor agreements to ensure compliance.

Melody Ashby is a Senior Attorney at Meyer Law, a woman-owned, forward-thinking boutique law firm specializing in helping entrepreneurs and technology companies from startups to fortune 500’s with corporate, contracts, employment and intellectual property matters in Technology, Telecom, FinTech, EdTech, AdTech, HealthTech, Internet of Things, Financial Services, Telecom, Social Media, Real Estate, Marketing, Advertising and Healthcare sectors. Melody is a mentor at tech incubators and accelerators across the United States.  Learn more at and follow us on Twitter @TheTriciaMeyer and @LoveYourLawFirm.

We use cookies and similar technologies to enhance the navigation of our website, analyze usage and assist in our marketing efforts, and you agree to this by viewing and accessing our website. Please see our Privacy Policy for more information.