On 12 July 2016, the European Commission adopted the EU-US
Privacy Shield (the "Privacy Shield"), the new framework
for transatlantic exchanges of personal data replacing the Safe
Harbour agreement. The adoption follows a positive vote by the
Member States' representatives in the Article 31 Committee on 8
July 2016. US companies can sign up to the Privacy Shield as from 1
August 2016. Once a US company is certified under the new scheme,
transfers to this company from the EU will be permitted under
Directive 95/46/EC (the "Data Protection Directive").
Under the Data Protection Directive, personal data must not be
transferred to a recipient outside the EEA unless such a recipient
is located in a country which is regarded to provide an
"adequate" level of protection. The decision of 12 July
2016 declares that US companies registered under the Privacy Shield
qualify for "adequate" protection status under the Data
Improvements Provided by Privacy Shield
The draft framework principles and additional documents
composing the Privacy Shield were published on 29 February 2016
(See, VBB on Business Law, Volume 2016, No. 2, p. 8, available
www.vbb.com). Since presenting the draft Privacy
Shield in February, the European Commission and the US Department
of Commerce have updated the texts to include a number of
additional clarifications and improvements. These improvements draw
on the opinions of the EU's Article 29 Working Party, an
independent European advisory body on data protection and privacy
comprised of representatives of the EU Member States' national
data protection authorities, the European Data Protection
Supervisor and the European Commission (See, VBB on Business
Law, Volume 2016, No. 4, p. 6,available at
www.vbb.com). They also reflect a resolution of the European
The European Commission received additional clarifications from
the US National Intelligence Office on the question of when bulk
collection of data is permitted under US law. In addition, the
updated texts of the Privacy Shield strengthen the ombudsman
mechanism which provides redress against access by US authorities.
The latest changes also impose more explicit obligations on
companies as regards: (i) secondary use of personal data
("purpose limitation" principle); (ii) onward transfers
of personal data; and (iii) the duration of data retention and
de-identification of personal data.
Commission Adequacy Decision
In its decision, adopted on 12 July 2016 (the "Adequacy
Decision"), the European Commission concludes that the US
ensures an adequate level of protection for personal data
transferred from the EU to organisations in the US that have
self-certified under the Privacy Shield.
The European Commission commits to monitor continuously the
functioning of the Privacy Shield with a view to assessing whether
the Privacy Shield and the underlying US laws and regulations
continue to ensure an adequate level of protection of personal
The Adequacy Decision also provides for an annual revision of
the scheme. This will allow the European Commission to assess the
compatibility of the Privacy Shield with the General Data
Protection Regulation 2016/679 (the "GDPR") which will
enter into effect on 25 May 2018. It is expected that further
updates to the Privacy Shield may be required in order to comply
with the strengthened rules of the GDPR.
The Adequacy Decision has been notified to the EU Member States
and thereby entered into force on 12 July 2016. On the US side, the
Privacy Shield was published in the US Federal Register and
companies have been able to self-certify with the US Department of
Commerce ("DoC") since 1 August 2016. The DoC will make
both the Privacy Shield list and certification submissions publicly
available through a dedicated website. The DoC has also published a
document explaining how US companies can register for the Privacy
Shield (read it here).
The fourth and final part of our mini-series on the draft ICO guidance on Consent, published on 2 March 2017, focuses on the practical impact the GDPR (General Data Protection Regulation) will have on how your organisation records and manages consent.
In light of the much anticipated ICO draft GDPR (the General Data Protection Regulation) Consent Guidance being published yesterday, 2 March 2017, we will be running a mini-series on the guidelines under consultation and the impact the GDPR will have on the much vexed position of consent and the impact on your business.
To coincide with Data Privacy Day, we have prepared a roundup of five recent announcements and developments in the world of privacy and data protection.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).