EU-US Privacy Shield update
Published 3 March 2016
What does this cover?
On 2 February the EU Commission announced that political agreement had been reached on the formation of a new transatlantic data transfer regime, the EU-US Privacy Shield (the Privacy Shield) to replace Safe Harbor.
The Privacy Shield has been agreed on the basis of four guarantees given to the EU by the US, which require:
- data processing to be based on clear, precise and accessible rules;
- the objectives pursued to be necessary and proportionate;
- an independent and effective oversight mechanism to be put in place; and
- effective remedies to be available to the individual.
On 29 February 2016 the EU Commission published the text of the Privacy Shield framework. Amongst other documents, this includes:
- the EU-U.S. Privacy Shield Framework Principles (as issued by the U.S. Department of Commerce); and
- a draft adequacy decision.
The EU Commission has also issued a Communication to the EU Parliament and Council, entitled "Transatlantic Data Flows: Restoring Trust through Strong Safeguards."
We now await the opinion of the Article 29 Working Party who will closely analyse the Privacy Shield documentation.
In order for the draft adequacy decision, the following will need to take place:
- WP29 to produce a (non-binding) opinion on the Privacy Shield Principles and draft adequacy decision;
- Article 31 Committee (EU Member State representatives) binding opinion; and
- EU College of Commissioners to formally adopt the adequacy decision.
The EU Parliament and Council have the power to amend or withdraw the adequacy decision up until the EU College of Commissioners formally adopt the decision.
On the other side of the Atlantic, the US authorities will be establishing the frameworks necessary for the Privacy Shield to operate.
To view our recent editorial on the Privacy Shield framework, please click here.
To view the European Commission press release (29 February 2016), please click here.
Please click here to view the following documents:
- Privacy Shield Principles (Annex II)
- Draft adequacy decision
- Communication – Transatlantic Data Flows: Restoring Trust through Strong Safeguards
- Q&A document
What action could be taken to manage risks that may arise from this development?
Organisations should continue to monitor the development of the Privacy Shield proposal. In the meantime, alternative mechanisms for international data transfers (e.g. standard contractual clauses and binding corporate rules) should continue to be used.