To predict the Privacy Shield’s future, it’s helpful to recall its origins and to understand the high bar it must meet – namely, ensuring “an adequate level of protection” under the Data Protection Directive.
As to its origins, because the Commission had not recognized the United States as having adequate protection, in 2000 the EU and the U.S. were forced to come up with mechanisms to enable companies to continue to transfer personal data from the EU to the U.S. The Safe Harbor framework, blessed by the Commission in an adequacy decision (“Safe Harbor Decision”), was one of the mechanisms agreed upon between the EU and the U.S.
Under the Safe Harbor framework, U.S. companies were able to self-certify through the DOC that they adhered to the privacy principles set forth in the Safe Harbor Decision. Before being invalidated in 2015, more than 4,000 U.S. businesses, including Facebook, had self-certified under the framework. Significantly, as