After months of back and forth, an updated version of the EU-US Privacy Shield agreement originally announced in February is on the verge of being formally adopted on Tuesday, July 12, 2016. While the final documents comprising the agreement are not yet public, a vote by the Article 31 committee, consisting of representatives from EU Member States, approved a final version of the agreement on Friday. According to a joint statement from Andrus Ansip, Vice President for the Digital Single Market on the European Commission, and Věra Jourová, European Commissioner for Justice, Consumers and Gender Equality, the new Privacy Shield is "fundamentally different" from the invalidated Safe Harbor agreement and will impose "clear and strong obligations" on industry and better enforcement mechanisms.
As we have discussed, the updated version of the Privacy Shield establishes stronger obligations on companies handing Europeans' personal data and robust enforcement, new safeguards and transparency around mass surveillance, and new redress mechanisms for EU citizens. Both the Article 29 Working Party and the European Data Protection Supervisor were critical after the framework's initial unveiling in late February. The European Commission and US Department of Commerce worked to respond to this criticism by strengthening the Privacy Shield in the following ways:
- providing stronger rules around US mass surveillance and government access to European data;
- strengthening the independence of the US ombudsperson who is charged with adjudicating and responding to complaints from EU citizens; and
- further clarifying transfers of EU citizens' data to other companies.
In light of recent actions by the Irish Data Protection Authority to seek clarification from the European Court of Justice as to the validity of EU model contract clauses, the need for a functional and practical framework for transatlantic data flows is immediate. Privacy Shield will be a positive step forward in that respect.
Although the European Commission described the Article 31 vote as a "strong sign of confidence" in Privacy Shield, four EU member states abstained from the final vote, and a court challenge to it is likely. The ultimate fate of the Privacy Shield will likely be determined by the European Court of Justice. In the meantime, the Article 29 Working Party has already announced that it plans to conduct a coordinated analysis of the framework after final approval next week.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.