Formal Adoption of EU-US Privacy Shield
After many months of negotiation and review the EU-US Privacy Shield was formally adopted by the European Commission on July 12, 2016. This came just a few days after the Article 31 Committee approved the updated text of the EU-US Privacy Shield on July 8, 2016.
The EU-US Privacy Shield, as adopted, will according to Vera Jourovà, Commissioner for Justice, Consumers and Gender Equality “protect the personal data of Europeans and ensure legal certainty for businesses“. Andrus Ansip, Commission Vice President for the Digital Single Market further described the Privacy Shield as “a robust framework ensuring these [transatlantic] transfers take place in the best and safest conditions.”
The EU-US Privacy Shield reflects the requirements that were laid out by the Court of Justice of the European Union in the Schrems decision and is based on the following principles:
- Strong and detailed obligations on participating companies handling data including regular reviews by the US Department of Commerce and enforcement action for non-compliance;
- Assurances from the US accompanied by analysis by the Commission establishing that US government access for law enforcement and national security is subject to clear limitations, safeguards and oversight mechanisms including the introduction of an Ombudsperson;
- Layers of protection of individual rights including an alternative dispute resolution procedure and an arbitration mechanism; and
- An annual joint review mechanism to monitor the functioning of the Privacy Shield.
The initial text of the EU-US Privacy Shield came under intense scrutiny from the Article 29 Working Party, the European Parliament and European Data Protection Supervisor, who noted that it was significantly stronger than Safe Harbor but recommended a number of additional improvements. The views of these authorities have been taken into account in the revised draft of the Privacy Shield and data subjects and companies should have significant confidence in the new arrangement (please see our recent blog article that elaborates on the changes made).
Now that the EU-US Privacy Shield has been adopted, the Commission will notify the “adequacy decision” to the Member States which will subsequently enter into force immediately. The Commission will then need to translate the documents into the official languages. In the US, the Privacy Shield will be published in the Federal Register and the Department of Commerce will need to update the registration mechanism.
US Commerce Secretary Penny Pritzker announced that the EU-US Privacy Shield will be fully implemented and ready for companies to self-certify on August 1, 2016. This provides companies with the opportunity to review the framework and update their compliance programs accordingly. Alongside this, the Commission will publish a guide for EU citizens that explains the redress mechanisms available to them where a data subject considers that his or her data is not being processed in accordance with data protection rules.
While adoption of the EU-US Privacy Shield by the Commission does provide a degree of certainty in finding a legitimate solution for transferring data from the EU to the US, there is a substantial likelihood that the EU-US Privacy Shield will face challenges by EU data protection authorities and activists, but the hope is that the protections and increased level of security by US and EU regulators involved with the development of the EU-US Privacy Shield will secure its long term future. With standard contractual clauses under challenge in the proceeding brought by the Irish Data Protection Commissioner before the Irish High Court, subscribing to Privacy Shield may be prudent even for organizations that use such clauses so as to have an alternative data transfer mechanism in