Accept Refuse

EUR-Lex Access to European Union law

Back to EUR-Lex homepage

This document is an excerpt from the EUR-Lex website

Document 32016D1250

Protecting EU citizens’ privacy in data transfers to the US

Protecting EU citizens’ privacy in data transfers to the US



Implementing Decision (EU) No 2016/1250 — stronger protection for European Union (EU) citizens’ personal data transferred to the United States


  • It recognises that the EU-US Privacy Shield, comprising the privacy principles applicable to certified US organisations (companies) and related commitments made by the US Department of Commerce and various other US authorities, provides an adequate level of protection for personal data* transferred from the EU to those organisations.
  • This means that personal data can freely be transferred to organisations in the US that are on the ‘Privacy Shield List’, which is maintained and made publicly available by the US Department of Commerce.
  • The Privacy Shield arrangement guarantees the right to respect for private life and the right to the protection of personal data of every individual from the EU whose personal data are transferred under the Privacy Shield.
  • It also ensures legal certainty for businesses that rely on the arrangement to transfer personal data from the EU to Privacy Shield-certified US organisations.


  • To be put on the list, US companies must commit to abiding by a strong set of data protection rules and safeguards. For example, they have to:

    • display their privacy policy (aligned with the Privacy Shield Principles) on their website,
    • ensure compliance, including with respect to onward transfers of personal data to third parties,
    • reply promptly to any complaints and subject themselves to oversight by an independent dispute resolution body (which may be an EU Data Protection Authority); must be subject to robust enforcement by the competent US authorities.
  • The US has also assured the EU that there will be clear limitations and safeguards with regard to US Government access to personal data.

Adequacy decision

  • Under the EU’s Data Protection Directive, EU countries had to enact data protection legislation, including rules on international transfers. These rules stipulate that international transfers are allowed under certain conditions only, for instance if the non-EU country to which personal data are transferred provides sufficient protection for personal data*.
  • The European Commission assesses the adequacy of the level of protection provided by a non-EU country in the light of that country’s data protection rules and practices deriving from its domestic law or international commitments.

EU-US Privacy Shield adequacy finding

  • The European Court of Justice ruling of 6 October 2015 declared the former EU-US framework (‘Safe Harbour’) invalid. This prompted the Commission and the US Government to negotiate a new arrangement for transatlantic exchanges of personal data for commercial purposes, in line with the requirements set out by the Court: the EU-US Privacy Shield.
  • The Commission adopted its decision recognising that the Privacy Shield framework ensures sufficient protection under Article 25(6) of the Data Protection Directive after consulting the European Data Protection Supervisor, and in accordance with the opinion of the European group of data protection authorities (Article 29 Working Party). The European Parliament also adopted a resolution.
  • The Commission will continuously monitor the functioning of the EU-US Privacy Shield, with the help of the national data protection authorities, to make sure that it continues to provide sufficient protection.
  • The first Annual Joint (EU-US) Review of the Privacy Shield will take place in September 2017.


It has applied since 21 August 2016. The Privacy Shield became operational on 1 August 2016, the date on which the US Department of Commerce (which administers the framework) started to accept applications for certification.


For more information, see:


Personal data: any information relating to an identified physical person or one who can be identified directly or indirectly through an identification number or one or more specific factors.
Personal data protection: protection against the misuse of and unauthorised access to personal data.


Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-US Privacy Shield (OJ L 207, 1.8.2016, pp.1-112)


Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data — Data protection directive (OJ L 281, 23.11.1995, pp. 31-50)

Successive amendments to Directive 95/46/EC have been incorporated into the original text. This consolidated version is of documentary value only.

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC — General Data Protection Regulation (OJ L 119, 4.5.2016, pp. 1-88)

last update 10.07.2017