Should the privacy shield be subject to further negotiations?

This post is also available in: frFrançais (French)

Last week, in Washington DC, took place the annual joint review of the EU-US Privacy Shield Agreement, a review conducted by United States government officials, European Commission representatives and data protection authorities.

As a reminder, the Privacy Shield is an agreement adopted in 2016 between the United States and the EU following revelations made four years ago regarding mass surveillance carried out by the USA. This framework replaces its predecessor, the Safe Harbor, invalidated by the European Court of Justice. In order to protect EU citizen’s personal data transferred to the United States, this agreement obliges American companies to protect data, provides safeguards on U.S. government access to data, ensures the possibility to appeal for European citizens and an annual joint review to monitor the implementation[1].

During the review, all aspects of the administration and enforcement of the Privacy Shield, including commercial and national-security related matters were tackled. Participants also discussed their respective work to implement the Privacy Shield program during its inaugural year. All in all, the aim of this exercise was to investigate whether the US commitments were being met through exchanges on the underlying US legal framework in place and on the functioning of the oversight mechanisms[2]. The European commissioner for justice, Vera Jourova, main figure in charge of the review with the American secretary of Commerce Wilbur Ross, concluded as follows: “The discussions over the past two days were fruitful. I appreciate the commitment the US administration has showed to transatlantic data transfers (…)”[3]. Mrs Jourova also said she was relieved that US President Trump’s “America first” doesn’t mean “America only[4]. However, she expressed her impatience regarding the permanent appointment of an Ombudsperson, towards which EU citizens can lodge a complaint in case of a violation of their rights. Jourova also said she regretted that the FTC is not being proactive enough in cracking down on non-complying US firms[5].

The National Digital Council (CNNum), an independent French advisory commission whose task is to formulate independent opinions and recommendations on issues related to the impact of digital on society and the economy, expressed its concerns about the Privacy Shield. These concerns are also shared by the G29, the LIBE commission and advocacy groups. According to CNNum, Privacy Shield has too many grey areas and does not provide sufficient guarantees for the protection of EU citizens personal data. CNNum believes that the Privacy Shield should be reviewed/renegotiated in order to ensure a secure transfer of personal data of Europeans. CNNum considers that Privacy Shield, based on the US promise to collect targeted data rather than mass collection and replacing Safe Harbor, is only a relative advance as it is only a presidential directive and is therefore not “enshrined”. CNNum therefore denounces the absence of concrete and binding measures by the United States guaranteeing the protection of EU citizen’s data, as well as an overly broad definition of the terms.

In conclusion, AEDH joins the CNNum’s position and regrets that the EU has not been more stringent in this annual review with the United States by setting strict deadlines for implementing measures advocated by the Privacy Shield to ensure the protection of Europeans data[6].


[1] European Commission, « EU-US Privacy Shield », 2017 –

[2] European Commission, “Joint Press Statement from US Secretary of Commerce Ross and Commissioner Jourová on the EU-U.S. Privacy Shield Review”, 2017 –

[3] European Commission, “Commission sets out path towards fair taxation of the Digital Economy”, 2017 –

[4] Euractiv, “Jourova reassured ‘America first’ does not weigh on EU-US privacy shield”, 2017   –

[5] EUobserver, “US tests EU patience over Privacy Shield”, 2017  –

[6] National Digital Council (CNNum), «CNNum : Pourquoi le Privacy Shield doit être renégocié », 2017  –