On 12 July 2016, the Commission adopted the Privacy Shield as an adequate means of transferring personal data from Europe to the United States. The US Department of Commerce started accepting applications for certification from 1 August 2016. The U.S. Department of Commerce has now also launched a website which provides information on the Privacy Shield which, amongst other things, provides information about complying with, and self-certifying against, the Privacy Shield’s principles.
The Commission's finding of adequacy is based on the following differences between the Privacy Shield and the Safe Harbor scheme:
- stronger obligations on data importers;
- tighter conditions for onward transfers to third parties;
- limitations and safeguards in respect of access to data by the US government;
- regular reviews of certified companies in order to ensure compliance with the requirements of the certificate and sanctions for non-compliance imposed by the new Ombudsperson; and
- the availability of accessible and affordable dispute resolution processes for data subjects.
However, sceptics, when looking at the detail of the certification scheme, would be forgiven for drawing parallels. The following areas are particularly notable:
- US authorities still have access to data transferred under the Privacy Shield. In fact, they will still be able to require the bulk disclosure of data where specific, targeted collection is not possible;
- many do not consider the redress mechanisms to be user friendly; and
- there is confusion around the role of the new Ombudsperson as a monitoring authority.
On 26 July 2016, the Article 29 Working Party issued a statement advising that it "welcomes the improvements brought by the Privacy Shield mechanism compared to the Safe Harbor decision". However, it advises that a number of concerns still remain, particularly around access to personal data by public authorities. The Article 29 Working Party indicated that the first annual joint review will be "a key moment for the robustness and efficiency of the Privacy Shield mechanism to be further assessed". From the perspective of the Article 29 Working Party at least, it seems that the Privacy Shield will be given a (wary) chance for the next 12 months.
As a further note of caution, Max Schrems, the caped crusader of the privacy world, has issued a statement indicating that the Privacy Shield could be subject to similar challenges to those which led to the fall of Safe Harbor.
The European Commission's adequacy decision can be accessed here.
The Article 29 Working Party statement can be accessed here.
The US Department of Commerce website can be accessed here.
The statement issued by Max Schrems can be accessed here.