After months of negotiations, the European Commission (the "Commission") and the US Department of Commerce ("DOC") have agreed on a final EU-US "Privacy Shield" framework for use by companies seeking a legal basis for commercial transatlantic transfers of personal data. The Commission formally approved the "adequacy" of the Privacy Shield on 12 July 2016, and the DOC began accepting "self-certifications" from US organisations on 1 August 2016.
The Privacy Shield is framed as a remedial successor to the previous "Safe Harbor" regime, which was invalidated by the European Court of Justice in October 2015 due largely to concerns regarding its derogation permitting the mass, indiscriminate sharing of EU citizens' personal data with US agencies for national security, public interest and law enforcement purposes (see our full summary here). Negotiations have been protracted and various bodies have criticised draft deals along the way; including the European Parliament, the European Data Protection Supervisor and the Article 29 Working Party.
The new regime relies on a similar approach of self-certification and external verification against seven privacy principles. Although these broadly replicate those found under the Safe Harbor regime in terms of their label, some (i.e. "Notice" and "Accountability for Onward Transfers") are much more demanding in substance. The Privacy Shield also incorporates additional data protection measures, such as a greater focus on organisational transparency, enhanced supervision/oversight mechanisms and an annual joint review between the Commission and DOC, along with multiple potential routes of redress for concerned EU citizens (including alternative dispute resolution mechanisms and an independent US Ombudsperson for complaints related to national security issues). Further information on the scheme can be found on its official website (https://www.privacyshield.gov/welcome) and within the EU Commission's recently published guide.
The Privacy Shield will operate in parallel with other existing data transfer mechanisms including Standard Contractual Clauses ("SCCs") and Binding Corporate Rules ("BCRs"). However, as pointed out in a recent blog post by the UK's Information Commissioner's Office ("ICO"), this area is "still not free from uncertainty". Other pending and potential cases before the European Court of Justice ("ECJ") may cast the validity of other mechanisms such as SCCs into doubt, and the Privacy Shield's compliance with EU law will inevitably be challenged.
While the Privacy Shield's effectiveness and uptake amongst US Companies remains to be seen, our dedicated Data Protection team would be happy to advise you on the regime's features, sign-up processes/obligations and the broader data transfer solutions most suitable for your business. Our suite of dedicated materials, including 4 free webinars, are also an invaluable source of information on the regime's potential implications.
This article is part of our Employment Law Update for September 2016