The European Union and the United States have now conducted the second annual review of Privacy Shield, a framework which regulates and facilitates the exchange of personal data across the Atlantic. The European Commission will publish its conclusions in a report at the end of this month.

The EU-U.S. Privacy Shield mechanism

EU organisations that want to transfer personal data to recipients outside the EU/EEA must assess whether the recipient country ensures an adequate level of data protection. Privacy Shield imposes stronger obligations on U.S. companies to protect the personal data of individuals in the EU and to monitor, enforce and cooperate with the European data protection authorities to ensure adequacy.

On a voluntary basis, U.S. organisations can self-certify to the U.S Department of Commerce, publicly stating that they will comply with Privacy Shield requirements. A list of the certified organisations can be found here. Nearly 4,000 companies have now made legally enforceable commitments to comply with the framework since Privacy Shield went into effect in 2016.

Second annual review

Privacy Shield’s terms are required to be reviewed every year. You can find our blog post on the first annual report here.

The first day of this review focused on the commercial aspects of Privacy Shield, largely in relation to its enforcement and oversight. The second day covered developments concerning the collection of personal data by U.S. authorities for the purposes of law enforcement and national security.

Criticism of the Privacy Shield

Privacy Shield has been criticised since its inception, and such criticism includes that the United States has yet to implement the changes called for after the first annual review.

The resolution adopted by the European Parliament last month concerning Cambridge Analytica’s use of Facebook users’ data contains criticism of, and objections to, Privacy Shield. In particular, the resolution:

  • Recalls the previous resolution on the adequacy of the Privacy Shield’s protection
  • Calls on U.S. authorities to remove non-compliant companies from the Privacy Shield list
  • Calls on data transfers under Privacy Shield to be suspended or prohibited until U.S. authorities take appropriate enforcement action against the companies involved


In light of these objections to Privacy Shield, and in the face of increasing concerns on oversight, automated decision-making and mass surveillance by the United States, stakeholders hope this second review will drive progress. If not, calls to suspend the deal may increase in volume.