EU approval of Privacy Shield provides clarity for transatlantic data transfers

Written on 11 Jul 2016

Today, the European Commission formally adopted and finalized the EU-U.S. Privacy Shield, a new framework for transatlantic data flows that replaces the old ‘Safe Harbor’ scheme. You may be aware that the Privacy Shield was previously criticized by the Article 29 Working Party (one of the key pan-EU advisory boards), so the adoption of the EU-U.S. Privacy Shield is the result of much debate and revision to address the various concerns, particularly in relation to US authorities’ access to data.

Benefits for US companies

Fundamentally, the new framework is designed to facilitate data transfers between Europe and the U.S, in place of other existing mechanisms, such as EC-approved Model Clauses. This will benefit US clients that operate in Europe, particularly as those alternative mechanisms can be cumbersome, impractical, expensive and, in some cases, are even subject to legal challenge. Like all transfer mechanisms, the new EU-U.S Privacy Shield is not completely immune from potential challenge in the future but the various committees and working parties have strived to address any concerns.

The basics

Like ‘Safe Harbor’, the Privacy Shield will be a self-certification scheme under which businesses looking to transfer personal data from Europe to the U.S confirm adherence to a set of principles. These include, for example: (i) ensuring that personal data is only processed for the specific purpose for which it was collected, and that it is accurate, (ii) giving individuals the right to opt-out of their information being shared with any third party, and (iii) requiring data controllers to be accountable for any onward transfers of data. It is worth mentioning that compliance with Privacy Shield principles will not necessarily guarantee compliance with obligations that will be introduced when the new EU General Data Protection comes into force in May 2018.

In the U.S, compliance will be monitored and enforced by the Department of Commerce. In the event of non-compliance, businesses may be required to return or delete personal data received under the Privacy Shield. The Department of Commerce will also monitor ‘false claims of participation in the Privacy Shield, and improper use of the Privacy Shield certification mark’ and may conduct ad hoc compliance reviews.

Moving forward

Ultimately, the Privacy Shield should enable businesses to transfer personal data out of Europe more efficiently, and should increase the protection of individuals’ personal data. Whilst the scheme is not officially ‘open for business’ until August 1 2016, if you have any queries about how it may benefit your business, what you can do to prepare for it, or the obligations it will impose, please do not hesitate to contact one of our experts.