Most Read Contributor in Netherlands, January 2017
The European Commission issued an adequacy decision about the EU-US
Privacy Shield framework (Privacy Shield) on 12 July 2016. The
Privacy Shield agreement replaces the Safe Harbor framework
invalidated in October 2015. European companies will be able to
lawfully transfer personal data to the US counterparts that sign up
to comply with the Privacy Shield. The adequacy decision enters
into force immediately but the framework still requires certain
steps on the US side. The U.S. Department of Commerce announced it
will start accepting certifications on 1 August 2016.
Despite assurances from the EU Commission and the US government
that the Privacy Shield places stronger obligations on the US
companies in protecting personal data of Europeans, legal
challenges of the transfers based on this mechanism seem
inevitable. The Privacy Shield will be under close scrutiny of data
protection authorities and may be challenged in court just like
Safe Harbor was in the past or the standard contractual clauses
currently are. We recommend that businesses rely on other transfer
mechanisms, such as binding corporate rules or standard contractual
clauses. We suggest companies that rely on the Privacy Shield adopt
additional contractual data protection controls to demonstrate
compliance with EU law.
As we previously
reported, the European Commission (EC) had been negotiating the
EU-US Privacy Shield framework since October 2015, after the EU-US
Safe Harbor was invalidated by the EU Court of Justice. The new
agreement was announced
in February 2016 but was widely criticised by the European
Parliament, European privacy watchdogs and numerous human rights
activists for providing only a face lift to Safe Harbor. In the
subsequent months, the EU and US had been fine-tuning the deal in
order to ensure it complies with the strict levels of personal data
protection required by the EU law and is less susceptible to legal
The final text addresses key concerns of the Article 29 Working Party, a
body representing all EU data protection authorities. The framework
provides stricter rules on data retention, clarifies the position
of the US ombudsman, and contains stronger commitments in writing
ruling out indiscriminate mass surveillance of data transferred
under this arrangement by the US public authorities. We will know
whether these improvements go far enough by the end of July, when
the Article 29 Working Party will announce a common position of the
European data protection authorities after "coordinated analysis of the documents".
Whatever the result, we expect that the framework and the companies
using it will be under continuous scrutiny by EU data protection
In the meantime, US companies can register on the Privacy Shield
list by certifying with the U.S. Department of
Commerce, after reviewing the framework and updating compliance
with it. This self-certification will be possible starting 1 August
and is subject to annual renewal. The new self-certification
requirements will require significant compliance efforts and costs.
The requirements include
expanded obligations regarding information disclosures
increased accountability for onward transfers
new monitoring and oversight mechanisms
documentation and reporting.
In addition, participating US companies will be required to
publicly commit to comply with the framework's requirements;
this commitment will become enforceable under US law.
It remains to be seen whether the Privacy Shield can provide a
sustainable basis for future cross-border data transfers. But
whichever data transfer mechanism is used, the company exporting
data outside the EU remains responsible for personal data
transferred outside the European Economic Area. The data-exporting
company will have to demonstrate its compliance with the EU data
protection law to supervisory authorities.
We suggest companies focus their efforts on binding corporate
rules for intra-group transfers of personal data of employee or
customers. For transfers to processors or other third parties, we
suggest using standard contractual clauses. We advise companies
relying on the Privacy Shield adopt additional contractual data
protection controls that would demonstrate compliance with EU
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).