In October of 2015, the EU-U.S. Safe Harbor program was invalidated, and in February of 2016, a draft of the new EU-U.S. Privacy Shield was introduced.

However, on July 16, 2020, Privacy Shield itself was also invalidated. It is no longer an acceptable method for safe transfers of data, and has been replaced by the EU-U.S. Data Privacy Framework.

This article explains how Privacy Shield used to work.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.



What was Safe Harbor

The Safe Harbor program was created in the year 2000 between the EU and the U.S. in an attempt to make sure that both EU and U.S. businesses would be complying with EU privacy laws when dealing with personal information from EU citizens.

Under EU privacy laws, personal information from EU citizens cannot be transferred outside of the EU unless adequate guarantees for the privacy of that data are made.

Safe Harbor created a streamlined and rather a convenient way for a large number of businesses to be compliant with privacy laws and legally transfer personal data from the EU to the United States.

Logo of Safe Harbor

Only certain industries were able to participate in the Safe Harbor, including:

  • Industries that fall under jurisdiction of the Federal Trade Commission (FTC), such as: food, healthcare, energy etc.
  • Industries that fall under jurisdiction of the Department of Transportation (DoT), such as some U.S. ticket agents, air carriers etc.

If your business was in one of these categories, and your business collected, used, and/or stored personal information from European citizens, you were eligible to participate in the Safe Harbor.

Participating in the Safe Harbor provided benefits to business owners:

  • Your business would be deemed to have adequate privacy protection in place to meet both U.S. and EU privacy standards,
  • Litigation was streamlined, and
  • Requirements of prior approval for data transfers would be automatically granted or waived for all states participating in Safe Harbor.

Joining Safe Harbor was voluntary and relatively easy to do. A business or organization that wished to join had to:

  • Comply with the 7 Privacy Principles of the Safe Harbor program
  • Publish a Privacy Policy that adheres to these 7 Principles
  • Declare your compliance publicly and submit a certification form with a processing fee
  • Annually submit a self-certification stating the agreeance to comply with the requirements

Basically, under the Safe Harbor, a U.S. business was able to take a few basic steps to self-certify that it would be complying with the data protection standards in place in the EU, and this would allow the business to legally transfer European data to the US.

Screenshot of a We self-certify compliance with Safe Harbor image

Thousands of businesses and companies took part in the Safe Harbor, including Google, Apple, and Facebook, just to name a few of the big players.

Sounds pretty good, right? So, why was Safe Harbor invalidated?

The end of Safe Harbor

In October of 2015, an Australian privacy activist filed a lawsuit against Facebook, alleging that Facebook's handling of his personal information was not legal because it violated European privacy law.

Eventually, the court invalidated the Safe Harbor agreement because it concluded that even if U.S. companies were following Safe Harbor guidelines and taking measures to protect personal information collected from European citizens, this personal information is still at risk of being misused once in the U.S. because U.S. public authorities are not subject to the Safe Harbor guidelines and could obtain this information via surveillance.

And that was the end of Safe Harbor.

Safe Harbor has been invalidated

The Beginning of Privacy Shield

In February of 2016, the EU and the U.S. released proposed framework for the Privacy Shield in a draft that included new and more rigorous obligations for U.S. businesses who wish to transfer personal information about EU citizens back to the United States.

On July 12th, the European Commission formally adopted the Privacy Shield. Beginning on August 1, 2016, businesses that were compliant were able to certify as such with the Department of Commerce.

The EU-US Privacy Shield Framework document

The new obligations in the Privacy Shield included more broadly reaching and in-depth certification requirements, as well as changes in the following areas:

  • New requirements for how notice of compliance and privacy practices was given to users,
  • New and more strict requirements for how vendor agreements and third party contracts were handled,
  • More limitations on what data may be collected and how it may be used,
  • Citizens had more rights and remedies in the event of a complaint or violation of their privacy, and
  • Dispute resolution and remedy mechanisms were broadened in the favor of EU citizens' privacy

Self-certification was still to be practiced, but with more strict initial requirements, as well as additional mechanisms in place to ensure actual and continued compliance, both by U.S. businesses and U.S. public authorities.

Notice

The Privacy Shield required you to have a Privacy Policy.

Your Privacy Policy was required to let users know:

  • What personal information you were collecting
  • How you would be using this personal information
  • What access third parties had to this personal information and the scope of their access
  • Your responsibility and liability for any personal information that was transferred to a third party
  • How users could access their personal information after you collect it
  • How users could control the way you use and disseminate their personal information
  • How users could opt out of having you share their personal information with third parties
  • How users could opt out of you using their personal data beyond what you've disclosed already
  • How you would always obtain affirmative consent from a user before you disclosed any of their sensitive information.

You also needed a procedure in place for how you would handle complaints that your users may have lodged against you under the Privacy Shield.

Within your Privacy Policy agreement, it was recommended to include the following:

  • Description of your procedure for handling complaints,
  • Information about which independent dispute resolution body would be used in the event of a complaint, and
  • Notice that your users may have had a right to binding arbitration.

Once your business was certified under the Privacy Shield, it was recommended that you made mention of this to users somewhere in your Privacy Policy, and included a link to where the Department of Commerce keeps a list of all organizations that have formally self-certified, just for validation by your users if they wished to check.

Third Party Dealings

If you relied on a third party or multiple third parties to transfer personal information to your U.S. business from the EU, in the event the third party you used for this information transfer failed to comply with Privacy Shield principles, you would have been held liable unless you were able to actually show that you weren't responsible for the event that failed to comply.

You should already have been paying special attention to whether third parties you used had adequate procedures and policies in place to ensure the protection of personal data, and then compliance with Privacy Shield principles, as well. You might have found yourself needing to create a new agreement with a third party you've worked with in the past, or renegotiating an existing agreement to include new clauses and clarifications.

Any agreement between your business and a third party that transfers information from the EU to the U.S. must have:

  • Stated very clearly that any personal information can only be transferred within the specific scope of use that your user/s have affirmatively consented to,
  • Stated that the third party you're using is required to and will comply with Privacy Shield principles, and
  • Stated that your business will take steps that are appropriate and reasonable to make sure that the third party is actually complying with these principles.

    These steps could have included monitoring and evaluating mechanisms and should include a remedy for how you can intervene or alter the way the third-party is handling information if you find a violation.

Limit Data Collection

The Privacy Shield called for data minimization and that any data you collect must be:

  • Relevant for processing purposes,
  • Reliable for the use you intend to use it for,
  • Current,
  • Complete, and
  • Accurate

If you stored data for long periods of time, this data may have become less accurate and complete, and certainly not current. It also may not be relevant for your purposes any longer if your business practices change.

To avoid issues here, you could have invited your users to review and update their information periodically, as well as review your internal practices to see if you no longer need to store certain categories of data for your processing purposes.

The idea of letting users access and update their information leads right into the next point of the Privacy Shield, which was to give users more access to their personal information.

Give Users Access to Their Information

To have been compliant with the Privacy Shield requirements, you must have given your users the ability to:

  • Access their personal information that you've collected,
  • Correct the personal information in the event of errors,
  • Amend their personal information as they see fit, and
  • Delete any outdated or no longer accurate information,
  • Confirm that their personal information is actually being processed by you, and
  • If their information is being processed, confirm that it is being done so lawfully

Dispute Resolution Preparedness

Under the Privacy Shield, there were a few requirements for how disputes and issues that arise from your users must be handled:

  • You must have replied to all complaints within 45 days,
  • You must have provided Alternative Dispute Resolution (ADR) to your users, at no cost to them, and
  • You must have provided notice that an arbitration mechanism of a Privacy Shield Panel will be made available as a last resort

Beyond these new and more extensive requirements for business owners, the Privacy Shield also required that U.S. public authorities provided assurances in writing that personal data collected from EU citizens would be subject to limitations and different safeguards, and that oversight mechanisms would be in place to ensure this.

Mass or indiscriminate surveillance was explicitly not allowed, and annual joint reviews between the EU and the U.S. were to be put in place to ensure that requirements were being met, rules were being followed, and that privacy goals were being reached.

Beginning on August 1, 2016, businesses that were compliant could certify as such with the Department of Commerce, and were slated to have to renew their certifications annually.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy