As we previously reported, the European Commission (EC) had been negotiating the EU-US Privacy Shield framework since October 2015, after the EU-US Safe Harbor was invalidated by the EU Court of Justice. The new agreement was announced in February 2016 but was widely criticised by the European Parliament, European privacy watchdogs and numerous human rights activists for providing only a face lift to Safe Harbor. In the subsequent months, the EU and US had been fine-tuning the deal in order to ensure it complies with the strict levels of personal data protection required by the EU law and is less susceptible to legal challenges.
The final text addresses key concerns of the Article 29 Working Party, a body representing all EU data protection authorities. The framework provides stricter rules on data retention, clarifies the position of the US ombudsman, and contains stronger commitments in writing ruling out indiscriminate mass surveillance of data transferred under this arrangement by the US public authorities. We will know whether these improvements go far enough by the end of July, when the Article 29 Working Party will announce a common position of the European data protection authorities after “coordinated analysis of the documents”. Whatever the result, we expect that the framework and the companies using it will be under continuous scrutiny by EU data protection authorities.
In the meantime, US companies can register on the Privacy Shield list by certifying with the U.S. Department of Commerce, after reviewing the framework and updating compliance with it. This self-certification will be possible starting 1 August and is subject to annual renewal. The new self-certification requirements will require significant compliance efforts and costs. The requirements include
- expanded obligations regarding information disclosures
- increased accountability for onward transfers
- new monitoring and oversight mechanisms
- documentation and reporting.
In addition, participating US companies will be required to publicly commit to comply with the framework’s requirements; this commitment will become enforceable under US law.
It remains to be seen whether the Privacy Shield can provide a sustainable basis for future cross-border data transfers. But whichever data transfer mechanism is used, the company exporting data outside the EU remains responsible for personal data transferred outside the European Economic Area. The data-exporting company will have to demonstrate its compliance with the EU data protection law to supervisory authorities.
We suggest companies focus their efforts on binding corporate rules for intra-group transfers of personal data of employee or customers. For transfers to processors or other third parties, we suggest using standard contractual clauses. We advise companies relying on the Privacy Shield adopt additional contractual data protection controls that would demonstrate compliance with EU law.