Skip to content

Privacy Shield ready for business

Van Dyck Peter
Peter Van Dyck



View profile →

12 July 2016

Today, after a positive vote by the Article 31 Committee last Friday, the European Commission formally adopted the Privacy Shield adequacy decision.

The Privacy Shield aims to replace the earlier Safe Harbour mechanism after its well-publicised invalidation by the European Court of Justice in October 2015.

Key improvements

The five key stated improvements of the Privacy Shield against the Safe Harbour mechanism, as set out by the Commission, are the following:

  1. the Privacy Shield includes stricter rules on how US companies must handle personal data of European citizens (including tighter rules on the onwards transfer of personal data to other companies)
  2. US authorities have committed to actively monitor and enforce US companies’ compliance with the Privacy Shield;
  3. there are several redress mechanisms for European citizens. These mechanisms include the establishment of a new Ombudsperson who will follow up complaints and enquiries made by European citizens – this role has currently been assigned to Under-Secretary of State Catherine Novelli;
  4. US authorities have given written assurances of how they will handle the collection and use of personal data for national security and police enforcement purposes; and
  5. the Privacy Shield will be a dynamic system, which will be subject to a yearly joint review by EU and US authorities.

Animated discussions

The adoption of the Privacy Shield marks the conclusion of a lengthy and animated discussion, with earlier versions of the Privacy Shield having been subsequently criticised by the Article 29 Working Party, the European Parliament and the European Data Protection Supervisor.

Following these discussions, the European Commission renegotiated the Privacy Shield with US authorities, resulting in an updated version. This updated version included some improvements, for instance on the bulk collection of personal data for national security purposes (although according to many, these assurances did not fully address many of the concerns raised by the above-mentioned European institutions).

Written assurances?

Much has been said (and will continue to be said) about the precise legal status of the written assurances provided by US authorities (including the US Department of Justice and the Office of the Director of National Intelligence). These are in the form of written letters by these authorities.

During the debate on 11 July in the European Parliament, several members of the European Parliament questioned the binding nature of these letters, in particular referring to the upcoming US elections as a risk factor.

During the debate before the European Parliament, Commissioner Jourová pointed out that she was "not absolutely satisfied" with the outcome of the negotiations with the US authorities, pointing out that it would of course have been preferable that these assurances would have been included in a binding law. She pointed out that "we cannot afford to let our adequacy decision gather dust in a drawer" and stated that the European Commission would actively monitor whether the US authorities will effectively comply with their assurances, and would not hesitate to suspend the Privacy Shield where they had a concern.

What’s next?

The Privacy Shield will enter into force today. The US Department of Commerce has announced that it will start accepting self-certifications under the Privacy Shield from 1 August. Companies will therefore soon be able to rely on the Privacy Shield to justify transfers of personal data to the United States.

However, the Privacy Shield will undoubtedly continue to be tested in the coming months and years. Several privacy advocates (including Max Schrems, who was responsible for the annulment of the Safe Harbour mechanism) have already announced that they will challenge the Privacy Shield before the Court of Justice of the European Union.

In the more immediate future, the Article 29 Working Party has announced that it will issue an opinion on the Privacy Shield, which is expected around the end of July. An unfavourable opinion on the Privacy Shield will no doubt fuel challenges before the Court of Justice of the European Union.

Companies that rely on the Privacy Shield are therefore likely to remain subject to some level of legal uncertainty over the coming years. To be continued…