On 12 July 2016, the European Commission adopted the EU-US
Privacy Shield as a replacement for the Safe Harbor mechanism,
which had previously been declared invalid by the Court of Justice
of the EU.
Around two weeks after the Commission's announcement, the
Article 29 Working Party (the EU Data Protection Regulators) issued
their statement on the decision. Although not fully endorsing
Privacy Shield, and expressing concerns over a number of issues,
the Working Party agreed not to launch any legal challenge to it
for at least a year.
The US Department of Commerce (DoC) began to accept applications
from US companies to sign up to Privacy Shield on 1 August. The
number of applications and acceptances has been impressive. In a
period of just one calendar month, the DoC has decided that the
privacy policies of 103 US companies comply with the Privacy Shield
standards. As of 1 September, the DoC confirmed that it was also
reviewing the policies of a further 190 companies and additional
250 companies were submitting their policies.
The numbers of those who have been successful in applying, and
who are waiting in line, is testament to the attractiveness of
Privacy Shield to US companies who process personal data from the
One significant point is that although the DoC is determining
whether a company's policy meets the Privacy Shield standard it
is not considering the more important issue of whether the
applicant companies comply with those privacy policies. Drafting a
compliant policy is a relatively easy step. Complying with it is
another thing entirely.
The Commission and the US Government are happy with Privacy
Shield. Andrus Ansip confidently stated that "it will
protect the personal data of our people and provide clarity for
businesses." The US Secretary of Commerce Penny Pritzker
said that it "is a tremendous victory for privacy,
individuals, and businesses on both sides of the
Atlantic.", The Article 29 Working Party is content for
now, and US companies are signing up in significant numbers.
However, two unanswered questions remain. Will EU data
controllers be willing to rely on a data importer's Privacy
Shield certification? How will data subjects react to a data
controller transferring their information under that mechanism?
EU data controllers remain legally responsible for the
transferred data. Knowing that a US company has had its privacy
policy vetted and accepted by the DoC is an important step. But, a
controller considering transferring data under the Privacy Shield
would be wise to undertake their own due diligence to ensure that
their data is being appropriately protected by the importing US
company. No doubt, some controllers will insist on additional
measures or alternative methods to protect their data.
Although the regulators may be granting Privacy Shield a
year's grace, and as Max Schrems has demonstrated, individual
data subjects can exercise their rights to influence EU data
protection law. Data subjects could potentially challenge a data
controller's reliance on Privacy Shield. Such individuals,
unhampered by the Working Party's grace period, could bypass EU
data protection regulators and seek to test Privacy Shield's
validity through the courts.
There is no doubt that personal data will continue to flow
across the Atlantic. The uncertainty lies in whether the flow will
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).