The European Commission yesterday issued an adequacy decision adopting the EU-US Privacy Shield, which
replaces Safe Harbor as a framework for protecting European data
transferred to the United States. Adoption had been expected since
the European Commission announced on Friday that Member States had
given their "strong support" to the new framework
(although we note that Austria, Bulgaria, Croatia and Slovenia
abstained from voting).
Are there any final changes?
There have been some tweaks to the Privacy Shield regime since
the draft adequacy decision was issued in February. These
clarifications on the bulk collection of
data. In particular, the Office of the Director of
National Intelligence has clarified that the bulk collection of EU
data can only be used under specific preconditions and must be
"as targeted and focused" as possible;
introducing more explicit
obligations on companies as regards limits on
retention and collection of data. Specifically,
companies now have to delete data that no longer serves the purpose
for which it was collected; and
Ombudspersonmechanism. In its
press release, the Commission makes clear that the Ombudsperson is
independent from the US intelligence
What were the criticisms?
The changes are intended to address a critique of Privacy Shield
issued in April by European data protection regulators (aka the
Article 29 Working Party), which concluded that Privacy Shield
– while a huge improvement on Safe Harbor – still did
not meet EU privacy standards. This was largely because:
massive and indiscriminate data
collection by American authorities was still not fully
the Privacy Shield lacked an explicit
data retention principle; and
the powers and independent position
of the Ombudsperson (who deals with national security-related
complaints) were not made clear.
What does the future look like for Privacy Shield?
The Commission's tweaks will address the A29WP's
concerns to some degree, but that mightn't be enough to keep
the privacy wolves at bay.
Privacy Shield may well be subject to a future challenge on the
basis of "equivalence" with EU law, and it will almost
certainly undergo further A29WP review. Potential issues remain,
such as the fact that Privacy Shield (like Safe Harbor) is largely
self-certified. Indeed, one of the main privacy advocates in the
European Parliament (MEP Jan Philipp Albrecht) commented that the
European Commission has "just signed a blank cheque for the
transfer of personal data of EU citizens to the US, without
delivering equivalent data protection rights". Max Schrems has
said he will challenge it.
In the medium term, inconsistencies between Privacy Shield and
the upcoming GDPR requirements could also limit Privacy
Shield's shelf life. Therefore, the climate seems ripe for
challenge. Max Schrems has also sought to challenge model clauses
in an application by the Irish DPA to the Irish High Court.
Privacy observers will also be keeping an eye on how Brexit
plays out: will the UK find itself negotiating its own form of
Privacy Shield to ensure EU adequacy?
Even so, Privacy Shield will be a valid solution for transfers
to the US. American companies may begin to self-certify with the US
Commerce Department from 1 August, and we expect to see many large
US vendors taking up this option. Microsoft has concluded on its official blog that the Privacy Shield
"meets each of [the] requirements...of... European data
Dentons is the world's first polycentric global law firm. A
top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm
is committed to challenging the status quo in delivering consistent
and uncompromising quality and value in new and inventive ways.
Driven to provide clients a competitive edge, and connected to the
communities where its clients want to do business, Dentons knows
that understanding local cultures is crucial to successfully
completing a deal, resolving a dispute or solving a business
challenge. Now the world's largest law firm, Dentons'
global team builds agile, tailored solutions to meet the local,
national and global needs of private and public clients of any size
in more than 125 locations serving 50-plus countries.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
You are cordially invited to our workshop on processing of employees’ personal data in light of the new EU Regulation on Personal Data Protection (GDPR). The meeting is organized by Dentons together with the American Chamber of Commerce in Poland.
Dentons will hold a Competition Breakfast Seminar on February 28, 2017 titled: Rebates and discounts under EU competition law – lessons of the Intel case. Renowned competition lawyer James Venit from Dentons’ Brussels office will be joining co-heads Tihamér Tóth and Tünde Gönczöl of Dentons Budapest’s
You are cordially invited to a practical seminar on private antitrust enforcement in light of the soon to be implemented Damages Directive, which we address to the banking and finance sector. During the seminar we will present new tools designed for cartel damages litigation in light of fast forwarding the legislative process in Poland from a lawyer’s and an economist’s perspective. We will discuss examples of private antitrust litigation from a jurisdiction where the system is already effective and consider whether third party litigation funding is an option in Poland. All these points will help you identify potential claims against other market players and prepare a defense strategy against private enforcement claims targeting your institution.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).