Jul 132016

Formal Adoption of EU-US Privacy Shield

Cameron F. Kerry, William RM Long, Francesca Blythe and Samantha Cox
, , , , ,

After many months of negotiation and review the EU-US Privacy Shield was formally adopted by the European Commission on July 12, 2016. This came just a few days after the Article 31 Committee approved the updated text of the EU-US Privacy Shield on July 8, 2016.

The EU-US Privacy Shield, as adopted, will according to Vera Jourovà, Commissioner for Justice, Consumers and Gender Equality “protect the personal data of Europeans and ensure legal certainty for businesses“. Andrus Ansip, Commission Vice President for the Digital Single Market further described the Privacy Shield as “a robust framework ensuring these [transatlantic] transfers take place in the best and safest conditions.

The EU-US Privacy Shield reflects the requirements that were laid out by the Court of Justice of the European Union in the Schrems decision and is based on the following principles:

  • Strong and detailed obligations on participating companies handling data including regular reviews by the US Department of Commerce and enforcement action for non-compliance;
  • Assurances from the US accompanied by analysis by the Commission establishing that US government access for law enforcement and national security is subject to clear limitations, safeguards and oversight mechanisms including the introduction of an Ombudsperson;
  • Layers of protection of individual rights including an alternative dispute resolution procedure and an arbitration mechanism; and
  • An annual joint review mechanism to monitor the functioning of the Privacy Shield.

The initial text of the EU-US Privacy Shield came under intense scrutiny from the Article 29 Working Party, the European Parliament and European Data Protection Supervisor, who noted that it was significantly stronger than Safe Harbor but recommended a number of additional improvements.  The views of these authorities have been taken into account in the revised draft of the Privacy Shield and data subjects and companies should have significant confidence in the new arrangement (please see our recent blog article that elaborates on the changes made).

Now that the EU-US Privacy Shield has been adopted, the Commission will notify the “adequacy decision” to the Member States which will subsequently enter into force immediately. The Commission will then need to translate the documents into the official languages. In the US, the Privacy Shield will be published in the Federal Register and the Department of Commerce will need to update the registration mechanism.

US Commerce Secretary Penny Pritzker announced that the EU-US Privacy Shield will be fully implemented and ready for companies to self-certify on August 1, 2016. This provides companies with the opportunity to review the framework and update their compliance programs accordingly. Alongside this, the Commission will publish a guide for EU citizens that explains the redress mechanisms available to them where a data subject considers that his or her data is not being processed in accordance with data protection rules.

While adoption of the EU-US Privacy Shield by the Commission does provide a degree of certainty in finding a legitimate solution for transferring data from the EU to the US, there is a substantial likelihood that the EU-US Privacy Shield will face challenges by EU data protection authorities and activists, but the hope is that the protections and increased level of security by US and EU regulators involved with the development of the EU-US Privacy Shield will secure its long term future.  With standard contractual clauses under challenge in the proceeding brought by the Irish Data Protection Commissioner before the Irish High Court, subscribing to Privacy Shield may be prudent even for organizations that use such clauses so as to have an alternative data transfer mechanism in

Cameron F. Kerry

ckerry@sidley.com

William RM Long

London

wlong@sidley.com

Francesca Blythe

London

fblythe@sidley.com

Samantha Cox

samantha.cox@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

How the China Personal Information Protection Law Applies to Foreign Asset Managers

Since China’s Personal Information Protection Law (PIPL) came into effect in November 2021, there has been widespread uncertainty amongst offshore fund managers and investors with entities outside Mainland China as to how and whether the regime applies to them. Given the potential for foreign asset managers to overlook or misinterpret PIPL, this brief update outlines some guidance as to how PIPL can apply, and to whom, in a practical context.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.