On February 29, 2016, after more than two years of negotiations with the U.S. Department of Commerce, the European Commission released its draft Decision on the adequacy of the new EU–U.S. Privacy Shield program, accompanied by new information on how the Program will work. This new framework will protect the fundamental rights of Europeans when their data is transferred to the United States and ensure legal certainty for businesses.
On February 29, 2016, the European Commission issued the legal text that will put in place the EU-‐U.S. Privacy Shield and a Communication summing up the actions taken over the last years to restore trust in transatlantic data flows since the 2013 mass-‐surveillance revelations.
The new arrangement will include, among others:
- clear safeguards and transparency obligations on U.S. government access;
- protection of EU citizens’ rights with several redress possibilities;
- strong obligations on companies handling Europeans’ personal data.
In this regard, U.S. companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed, including compliance with decisions by European DPAs.
The Article 29 Working Party (hereinafter, the “WP29”), in a statement issued on February 3, 2016, expressed concerns that the U.S. legal framework does not meet the guarantees provided for by the European applicable legislation on fundamental rights, with particular regard to the necessity and proportionality principles in the field of data processing and the remedies available to individuals.
Therefore, in the light of the details now available, the WP29 will consider whether the other data transfer mechanisms are still valid for transfers of personal data to the U.S. According to the Chair of the Working Party, Mrs. Isabelle Falque-‐Pierrotin, a final decision should be taken by the end of April 2016.
The European Commission will have to vote on the adequacy of the Privacy Shield, before it finally comes into effect. A few months are thus still available for U.S. corporations to carefully weigh up all the alternatives in force (BCR, SCC and, where applicable, consent) before formally signing up for the new Privacy Shield.