The European Commission adopted the EU-U.S. Privacy Shield on 12th July 2016.
The Privacy Shield is a framework for protection of the fundamental rights of anyone in the EU whose personal data is transferred to the U.S. After a period of legal uncertainty followed by the CJEU ruling declaring Safe Harbour invalid in October 2015, the Privacy Shield might bring a legal clarity for businesses relying on transatlantic data transfers.
The Privacy Shield should replace Safe Harbour, as a new and improved framework for the transfer of personal data from EU to the U.S. It seems that the Privacy Shield has remedied the deficiencies of Safe Harbour to which the CJEU pointed out in its ruling and which had been the reason for the “failure” of Safe Harbour.
Under the Privacy Shield U.S. companies will be able to register on the Privacy Shield list and self-certify to the U.S. Department of Commerce as of 1st August 2016. Once a U.S. company is registered on the Privacy Shield list, the transfer of personal data from the EU is allowed to the certified U.S. company under the Privacy Shield framework. No further authorization by the national DPA is required.
The EU-U.S. Privacy Shield is based on the following principles:
- Strong obligations on companies handling data – the U.S. Department of Commerce will conduct regular updates and reviews of participating companies, to ensure that companies follow the undertaken rules;
- Clear safeguards and transparency obligations on U.S. government access – the access to the EU citizens’ personal data by the U.S. public authorities for law enforcement and national security purposes is subject to clear limitations, safeguards and oversight mechanisms;
- Effective protection of individual rights – any citizen who considers that their data has been misused under the Privacy Shield scheme may use several dispute resolution mechanisms;
- Annual joint review mechanism – the European Commission and the U.S. Department of Commerce will conduct reviews and bring together national intelligence experts from the U.S. and European DPAs with a view to monitoring the functioning of the Privacy Shield.
Notwithstanding the improvements to the Privacy Shield, there are strong criticisms stating that it still does not meet the EU standards on the adequate level of protection of privacy of EU citizens, due to which there is a high risk it will soon be challenged and referred to the CJEU.
Since the CJEU Safe Harbour ruling, companies have had to rely on Standard Contractual Clauses and Binding Corporate Rules as a legal basis for the transfer of personal data from the EU to the U.S. However, standard contractual clauses might share the same fate as Safe Harbour, as they have been challenged before the competent Irish authorities — with a recommendation that the case is referred to the CJEU.