Privacy Shield ready for business
16 September 2016
On 12 July 2016 the EU adopted the EU U.S. Privacy Shield Framework. This new framework replaces the U.S. EU Safe Harbor Framework for data flows between the European Union and U.S. after its well publicised invalidation by the European Court of Justice in October 2015.
The five key stated improvements of the Privacy Shield as set out by the European Commission, are the following:
- the Privacy Shield includes stricter rules on how U.S. companies must handle personal data of European citizens (including tighter rules on the onward transfer of personal data to other companies);
- U.S. authorities have committed to monitor actively and enforce U.S. companies’ compliance with the Privacy Shield;
- there are several redress mechanisms for European citizens. These mechanisms include the establishment of a new Ombudsperson who will follow up complaints and enquiries made by European citizens;
- U.S. authorities have given written assurances on how they will handle the collection and use of personal data for national security and police enforcement purposes; and
- the Privacy Shield will be a dynamic system, which will be subject to a yearly joint review by EU and U.S. authorities.
The adoption of the Privacy Shield marks the conclusion of a lengthy and animated discussion, with earlier versions of the Privacy Shield having been subsequently criticised by the Article 29 Working Party, the European Parliament and the European Data Protection Supervisor.
Following these discussions, the European Commission renegotiated the Privacy Shield with U.S. authorities, resulting in an updated version. This updated version includes some improvements, for instance on the bulk collection of personal data for national security purposes (although, according to many, these assurances do not fully address many of the concerns raised).
Much has been said (and will continue to be said) about the precise legal status of the written assurances provided by U.S. authorities (including the U.S. Department of Justice and the Office of the Director of National Intelligence). These are in the form of written letters by these authorities.
During the debate on 11 July in the European Parliament, several members of the European Parliament questioned the binding nature of these letters, in particular referring to the upcoming U.S. elections as a risk factor.
The Privacy Shield is now in force, and the U.S. Department of Commerce has started accepting applications under the Privacy Shield. Companies will therefore soon be able to rely on the Privacy Shield to justify transfers of personal data to the U.S.
The Privacy Shield will undoubtedly continue to be tested in the coming months and years. Several privacy advocates (including Max Schrems, who was responsible for bringing the legal challenge against the Safe Harbour mechanism) have already announced that they will challenge the Privacy Shield before the Court of Justice of the European Union. Further information