Legal Update: European Commission Adopts EU–U.S. Privacy Shield
The European Commission has formally adopted the so-called “Privacy Shield” arrangement by issuing an adequacy decision on 12 July 2016. The Privacy Shield provides an additional mechanism for European businesses to lawfully transfer personal data from the EU to the United States, and it will replace the Safe Harbour Agreement invalidated by the European Court of Justice (the “CJEU”) in October 2015.
The purpose of the new arrangement is to better safeguard the personal data of EU citizens and provide clarity and legal certainty for businesses. The Privacy Shield entails more stringent standards for data protection, the compliance of which is meant to be better supervised. This means that U.S. companies are required to meet stronger obligations to protect Europeans’ personal data while the U.S. Department of Commerce will regularly monitor the participating companies’ data protection practices. Furthermore, the Privacy Shield defines the protective measures relating to government access to information and more accessible means of legal redress for individuals by way of, for instance, clarifying the position of the U.S. Ombudsperson. The ultimate purpose of all this is to restore the trust of European consumers when their data is transferred across the Atlantic.
When invalidating the Safe Harbour, the CJEU made it clear that any future decision must ensure an essentially equivalent level of data protection in European law. When the first draft of the Privacy Shield was published on 29 February 2016, it was widely criticised by European institutions and bodies as well as human rights activists, and even though the Commission has now assured to have taken this criticism into account, the Privacy Shield is unlikely to receive universal recognition from privacy advocates and enthusiasts. In fact, it has already been anticipated that, similarly to its predecessor, the Privacy Shield may also be challenged before the CJEU. Therefore, European businesses should not rely on the new Privacy Shield as the sole mechanism for transferring personal data from the EU to the U.S. but also continue to adhere to the existing transfer mechanisms, such as the Standard Contractual Clauses and Binding Corporate Rules. It will also be interesting to see whether the Privacy Shield will be greeted with satisfaction by the Article 29 Working Party, a body representing all EU data protection authorities, which is supposed to issue its opinion on the new arrangement in the coming weeks.
Although the new Privacy Shield has entered into force immediately, U.S. companies will not be able to certify with the U.S. Department of Commerce until 1 August 2016. Thereafter, European businesses may start lawfully transferring personal data to those U.S. organisations that are certified under the Privacy Shield. Further information on the arrangement can be found in the Commission’s press release.
In case you have any questions about the Privacy Shield, please feel free to contact our data protection & privacy specialists.