Privacy Shield opens hole in protection of EU citizens’ privacy

PRESS RELEASE - 12.07.2016

The European Commission today is clearing the way for the transfer of EU consumers’ personal data to the US. However, the European Consumer Organisation (BEUC) is disappointed with the agreement that underpins this transfer of data because it does not sufficiently protect EU citizens.


Companies transferring data from the EU to the US can adhere to the ‘Privacy Shield’, an agreement which lays down the rules and principles for the protection of EU citizen’s personal data in the US1. The deal is necessary because the processing of personal data for commercial purposes remains largely unregulated in the US2.

BEUC argues that the Privacy Shield fails to provide an adequate level of protection for EU citizens when their personal data is sent over the Atlantic. The limits the agreement will impose on US tech companies that profit from hoovering up massive amounts of data fall short of the standards set in EU data protection law.

Monique Goyens, Director General of The European Consumer Organisation (BEUC), commented:

“It is disappointing that the EU is showing so little appetite for defending its pioneering data protection rules. Consumers usually do not know or control where companies are sending their personal data. Their privacy rights should not be weakened just because data is transferred to the US or elsewhere. Whenever personal data travels across borders, it must also be protected across borders.

“The Commission should have listened more to data protection bodies and privacy advocates rather than giving in to political and commercial pressure from the tech industry and the US government. Sadly, commercial motivations seem to have outweighed citizens’ right to privacy.

“Consumer redress mechanisms and the overall value and structure of the whole scheme remain as messy and complex as ever. On the positive side, some improvements have been made, such as introducing a limit to data retention.

“Nevertheless, we consider that the shield is cracked beyond repair and is unlikely to stand scrutiny by the European Court of Justice. A fundamental problem remains that the US side of the shield is made of clay, not iron”.


1 The Privacy Shield has replaced its predecessor ‘Safe Harbour’ which was struck down by the European Court of Justice in October last year on the grounds that it did not sufficiently safeguard EU data protection rights.

2 There is no general data protection law in the US which would mirror EU rights such as the right of access to personal data, right to erasure, right to object to processing of personal data among others.