After months of negotiations, the European Commission (the
"Commission") and the US Department of
Commerce ("DOC") have agreed on a final
EU-US "Privacy Shield" framework for use by companies
seeking a legal basis for commercial transatlantic transfers of
personal data. The Commission formally approved the
"adequacy" of the Privacy Shield on 12 July 2016, and the
DOC began accepting "self-certifications" from US
organisations on 1 August 2016.
The Privacy Shield is framed as a remedial successor to the
previous "Safe Harbor" regime, which was invalidated by
the European Court of Justice in October 2015 due largely to
concerns regarding its derogation permitting the mass,
indiscriminate sharing of EU citizens' personal data with US
agencies for national security, public interest and law enforcement
purposes (see our full summary here). Negotiations have been protracted and
various bodies have criticised draft deals along the way; including
the European Parliament, the European Data Protection Supervisor
and the Article 29 Working Party.
The new regime relies on a similar approach of
self-certification and external verification against seven privacy
principles. Although these broadly replicate those found under the
Safe Harbor regime in terms of their label, some (i.e.
"Notice" and "Accountability for Onward
Transfers") are much more demanding in substance. The
Privacy Shield also incorporates additional data protection
measures, such as a greater focus on organisational transparency,
enhanced supervision/oversight mechanisms and an annual joint
review between the Commission and DOC, along with multiple
potential routes of redress for concerned EU citizens (including
alternative dispute resolution mechanisms and an independent US
Ombudsperson for complaints related to national security issues).
Further information on the scheme can be found on its official
website (https://www.privacyshield.gov/welcome) and
within the EU Commission's recently published guide.
The Privacy Shield will operate in parallel with other existing
data transfer mechanisms including Standard Contractual Clauses
("SCCs") and Binding Corporate Rules
("BCRs"). However, as pointed out in a
recent blog post by the UK's Information
Commissioner's Office ("ICO"), this
area is "still not free from uncertainty". Other pending
and potential cases before the European Court of Justice
("ECJ") may cast the validity of other
mechanisms such as SCCs into doubt, and the Privacy Shield's
compliance with EU law will inevitably be challenged.
While the Privacy Shield's effectiveness and uptake amongst
US Companies remains to be seen, our dedicated Data Protection team
would be happy to advise you on the regime's features, sign-up
processes/obligations and the broader data transfer solutions most
suitable for your business. Our suite of dedicated materials, including 4 free
webinars, are also an invaluable source of information on the
regime's potential implications.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).