13 July 2016

EU-US Privacy Shield operational from 1 August 2016: end of legal uncertainty?

The European Commission issued an adequacy decision about the EU-US Privacy Shield framework (Privacy Shield) on 12 July 2016. The Privacy Shield agreement replaces the Safe Harbor framework invalidated in October 2015. European companies will be able to lawfully transfer personal data to the US counterparts that sign up to comply with the Privacy Shield. The adequacy decision enters into force immediately but the framework still requires certain steps on the US side. The U.S. Department of Commerce announced it will start accepting certifications on 1 August 2016.

Despite assurances from the EU Commission and the US government that the Privacy Shield places stronger obligations on the US companies in protecting personal data of Europeans, legal challenges of the transfers based on this mechanism seem inevitable. The Privacy Shield will be under close scrutiny of data protection authorities and may be challenged in court just like Safe Harbor was in the past or the standard contractual clauses currently are. We recommend that businesses rely on other transfer mechanisms, such as binding corporate rules or standard contractual clauses. We suggest companies that rely on the Privacy Shield adopt additional contractual data protection controls to demonstrate compliance with EU law.

As we previously reported, the European Commission (EC) had been negotiating the EU-US Privacy Shield framework since October 2015, after the EU-US Safe Harbor was invalidated by the EU Court of Justice. The new agreement was announced in February 2016 but was widely criticised by the European Parliament, European privacy watchdogs and numerous human rights activists for providing only a face lift to Safe Harbor. In the subsequent months, the EU and US had been fine-tuning the deal in order to ensure it complies with the strict levels of personal data protection required by the EU law and is less susceptible to legal challenges.

The final text addresses key concerns of the Article 29 Working Party, a body representing all EU data protection authorities. The framework provides stricter rules on data retention, clarifies the position of the US ombudsman, and contains stronger commitments in writing ruling out indiscriminate mass surveillance of data transferred under this arrangement by the US public authorities. We will know whether these improvements go far enough by the end of July, when the Article 29 Working Party will announce a common position of the European data protection authorities after “coordinated analysis of the documents”. Whatever the result, we expect that the framework and the companies using it will be under continuous scrutiny by EU data protection authorities.

In the meantime, US companies can register on the Privacy Shield list by certifying with the U.S. Department of Commerce, after reviewing the framework and updating compliance with it. This self-certification will be possible starting 1 August and is subject to annual renewal. The new self-certification requirements will require significant compliance efforts and costs. The requirements include

  • expanded obligations regarding information disclosures
  • increased accountability for onward transfers
  • new monitoring and oversight mechanisms
  • documentation and reporting.

In addition, participating US companies will be required to publicly commit to comply with the framework’s requirements; this commitment will become enforceable under US law.

It remains to be seen whether the Privacy Shield can provide a sustainable basis for future cross-border data transfers. But whichever data transfer mechanism is used, the company exporting data outside the EU remains responsible for personal data transferred outside the European Economic Area. The data-exporting company will have to demonstrate its compliance with the EU data protection law to supervisory authorities.

We suggest companies focus their efforts on binding corporate rules for intra-group transfers of personal data of employee or customers. For transfers to processors or other third parties, we suggest using standard contractual clauses. We advise companies relying on the Privacy Shield adopt additional contractual data protection controls that would demonstrate compliance with EU law.

Read more in our In context articles about the proposed Privacy Shield and invalidation of Safe Harbor. See also the full text of the adequacy decision, its annexes and the factsheet.