The EU-US Privacy Shield has finally arrived!
In April, we reported on the status of the EU-US Privacy Shield (see The EU-US Privacy Shield: Where are we now?). Like its predecessor, Safe Harbor, it is designed to be a self-certification mechanism to enable businesses in the US to import data from the European Union in compliance with the EU's data protection rules. However, this new mechanism gives greater importance to stronger protection of personal data that is transferred across the Atlantic.
In order for businesses to rely on the framework, the European Commission had to make a decision that it provides adequate protection (in accordance with the eighth data protection principle). As part of the process, the European Union's Article 29 Working Party (WP29) published its opinion on the scheme in its draft form in April, and pointed out a number of issues (see here for more information).
Consequently, the negotiators agreed a number of provisions to address WP29's concerns:
- The introduction of supervision mechanisms and explicit data retention limits. In the previous draft there was no reference to the data retention principle and no wording on protection against automated individual decision-making.
- The imposition of stricter conditions for onward transfers from the US. WP29 had stated that third country recipients of data should have to apply the same standards.
- The creation of an Ombudsperson, as well as several other accessible and affordable dispute resolution mechanisms. These are to be used by Europeans who consider that their data has been misused. An effort has been made to combat the complexity of the recourse mechanisms in their previous form.
- Strong US commitments to rule out indiscriminate mass surveillance. WP29 argued that such massive collection of data could never be proportionate or necessary.
- The introduction of a mechanism for annual joint review of how it is functioning. The framework should be reviewed on both sides of the Atlantic when the incoming General Data Protection Regulation comes into force from 2018. This should make sure that the protections afforded by the GDPR are replicated by the EU-US Privacy Shield scheme.
On 12 July, the European Commission made the required adequacy decision and adopted the EU-US Privacy Shield, with immediate effect once it had been communicated to all member states. This has now happened.
The UK voted to leave the EU on 23 June, but it is not yet clear how European information governance regimes will affect the UK as a consequence. Some of our thoughts on what may happen in this area can be found here.
Until such time as the UK does leave the EU and clarity is gained about how processing of personal data in a post-EU UK will be governed, the Privacy Shield provides an additional option for legitimising data transfers to the US, alongside Model Contract Clauses and Binding Corporate Rules. Transfers of personal data to US organisations that have certified their compliance with the Privacy Shield will be compliant with the eighth data protection principle. However, campaigners have already signalled their intention of challenging the adequacy of the Privacy Shield through the courts, so this is unlikely to be the end of the story.
If you have concerns about the legality of data transfers in your business, or would like advice on any aspect of data protection or information governance, please get in touch with our specialist data protection lawyers who would be happy to help.
We also offer a range of data protection training sessions. For more information or to book your place, click here.