On July 12, 2016, the European Commission (Commission) formally
adopted the EU-US Privacy Shield (Privacy Shield) by issuing its
adequacy decision, providing a new structure for cross-border data
transfers from the European Union (EU) to the United States.
The Privacy Shield was developed after the Commission's
previous adequacy decision regarding the Safe Harbour framework was
declared invalid by the Court of Justice of
the EU. Following extensive negotiations, which considered concerns
and recommended changes from the Article 29 Working Party, the
Commission and the United States reached an agreement on the terms
of the Privacy Shield.
How does the Privacy Shield Work?
The Privacy Shield consists of a variety of measures,
More Robust Privacy Terms and Protections:
Participating companies will be subject to stronger data protection
obligations that will be monitored and enforced by United States
authorities. This includes limitations on the retention of personal
information, access to personal information in the context of law
enforcement or national security, and the collection of personal
information in bulk.
Regular Monitoring and Review: The Commission
and the United States government will meet annually to review the
adequacy of the mechanisms in place. Companies utilizing the
Privacy Shield will be subject to regular review by the United
States Department of Commerce relating to their compliance with the
data protection rules, and those that do not comply will face
More Comprehensive Redress Mechanisms: EU
citizens who are concerned about the handling of their personal
information will be provided with better and more easily accessible
mechanisms for redress. Individuals will have a variety of
methods to seek redress, including the ability to lodge complaints
with the applicable private company, the United States Department
of Commerce or the Privacy Shield panel.
Companies who wish to participate now have the opportunity to
review the framework and update their compliance accordingly. To
register to be on the Privacy Shield list, United States companies
must self-certify that they meet and will comply with the standards
of data protection set out in the Privacy Shield. Compliant
companies will be able to certify with the Department of Commerce
beginning on August 1, 2016 and must renew their certification
annually. The United States government has committed to maintain a
current list of Privacy Shield members and ensure that companies
that are removed from the Privacy Shield list will be subject to
its terms until they no longer retain personal information. The
European Commission will be producing a guide for the public to
clarify the parameters of the Privacy Shield and explain redress
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).