After receiving the approval of the EU Member States, through the Article 31 Committee, last Friday, the European Commission has today, July 12th, 2016, formally adopted the Adequacy Decision necessary to implement the EU-U.S. Privacy Shield (the Decision).
The Decision will be notified to Member States today and, as such, will be effective immediately.
The adoption process had stalled in recent months due to ongoing concerns about the access to personal data by public authorities in the U.S. You can read about some of these concerns in our previous blog post.
The European Commission has received further commitments from the U.S. and has agreed clarifications and improvements on the bulk collection of data, strengthening the Ombudsperson mechanism and more explicit obligations on companies as regards limits on retention and onward transfers. Those commitments and clarifications have been sufficient to allay the EU member states, at least for now.
The Privacy Shield is subject to an annual review mechanism.
Companies can now start to assess the finer detail of the Privacy Shield: what obligations must they comply with?; what processes must they implement?; what potential liability might they be accepting?. The Privacy Shield Principles, which will form the basis of the additional obligations US companies must comply with, can be found in Annex 2 to the Decision.
Once companies have reviewed the Privacy Shield and have taken steps to update their compliance, they can certify with the U.S. Department of Commerce from 1 August.
Compliance with the Privacy Shield will be more burdensome than its previous incarnation Safe Harbor. Given this and the scope for potential challenge (see below), organisations will need to consider carefully whether the Privacy Shield is an appropriate mechanism to legitimise EU-U.S. transfers of personal data.
In due course, we will provide more information on the detailed requirements of the Privacy Shield and practical guidance on next steps.
Potential Schrems Challenge?
The European Commission is keen to stress the additional protection the Privacy Shield affords personal data transferred to the U.S. and the certainty it provides for businesses. However, there remain some concerns, especially among privacy advocates, that the new regime does not meet the conditions set out in the judgment of the Court of Justice of the European Union from October last year and does not provide the requisite equivalent protection for personal data to be lawfully transferred outside of the EU mainly due to the lack of clear limitations on U.S. intelligence authorities’ access to data.
It is very likely there will be a challenge to the Privacy Shield, which might face the same fate as the original EU-U.S. Safe Harbor. In fact, both Max Schrems, the original complainant in the Safe Harbor case, and Jan Philipp Albrecht, the MEP that was responsible for the passage of the new European General Data Protection Regulation, both have come out to say that the level of protection is not sufficient, with Albrecht calling the Privacy Shield a “blank cheque for data transfers”.