On 12 July 2016, the European Commission adopted the EU-US Privacy Shield (the "Privacy Shield"), the new framework for transatlantic exchanges of personal data replacing the Safe Harbour agreement. The adoption follows a positive vote by the Member States' representatives in the Article 31 Committee on 8 July 2016. US companies can sign up to the Privacy Shield as from 1 August 2016. Once a US company is certified under the new scheme, transfers to this company from the EU will be permitted under Directive 95/46/EC (the "Data Protection Directive").
Under the Data Protection Directive, personal data must not be transferred to a recipient outside the EEA unless such a recipient is located in a country which is regarded to provide an "adequate" level of protection. The decision of 12 July 2016 declares that US companies registered under the Privacy Shield qualify for "adequate" protection status under the Data Protection Directive.
Improvements Provided by Privacy Shield
The draft framework principles and additional documents composing the Privacy Shield were published on 29 February 2016 (See, VBB on Business Law, Volume 2016, No. 2, p. 8, available at www.vbb.com). Since presenting the draft Privacy Shield in February, the European Commission and the US Department of Commerce have updated the texts to include a number of additional clarifications and improvements. These improvements draw on the opinions of the EU's Article 29 Working Party, an independent European advisory body on data protection and privacy comprised of representatives of the EU Member States' national data protection authorities, the European Data Protection Supervisor and the European Commission (See, VBB on Business Law, Volume 2016, No. 4, p. 6, available at www.vbb.com). They also reflect a resolution of the European Parliament.
The European Commission received additional clarifications from the US National Intelligence Office on the question of when bulk collection of data is permitted under US law. In addition, the updated texts of the Privacy Shield strengthen the ombudsman mechanism which provides redress against access by US authorities. The latest changes also impose more explicit obligations on companies as regards: (i) secondary use of personal data ("purpose limitation" principle); (ii) onward transfers of personal data; and (iii) the duration of data retention and de-identification of personal data.
Commission Adequacy Decision
In its decision, adopted on 12 July 2016 (the "Adequacy Decision"), the European Commission concludes that the US ensures an adequate level of protection for personal data transferred from the EU to organisations in the US that have self-certified under the Privacy Shield.
The European Commission commits to monitor continuously the functioning of the Privacy Shield with a view to assessing whether the Privacy Shield and the underlying US laws and regulations continue to ensure an adequate level of protection of personal data.
The Adequacy Decision also provides for an annual revision of the scheme. This will allow the European Commission to assess the compatibility of the Privacy Shield with the General Data Protection Regulation 2016/679 (the "GDPR") which will enter into effect on 25 May 2018. It is expected that further updates to the Privacy Shield may be required in order to comply with the strengthened rules of the GDPR.
The Adequacy Decision has been notified to the EU Member States and thereby entered into force on 12 July 2016. On the US side, the Privacy Shield was published in the US Federal Register and companies have been able to self-certify with the US Department of Commerce ("DoC") since 1 August 2016. The DoC will make both the Privacy Shield list and certification submissions publicly available through a dedicated website. The DoC has also published a document explaining how US companies can register for the Privacy Shield (read it here).
Further reading: Press release of the European Commission; US Department of Commerce Fact Sheet; US Department of Commerce FAQ; Commission Adequacy Decision; Annexes to the Adequacy Decision
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
