On July 12, 2016 the European Commission (EC) adopted the final version of the EU-U.S. Privacy Shield, but will it be a success?

Background

As you remember from our posts here and here, prior to the EU-U.S. Privacy Shield, the Safe Harbor Privacy Principles scheme was in place. Such framework used to set out the terms under which it was possible to transfer personal data from the European Union to companies based in the United States that undertook to comply with a number of relevant principles. This applied even though the United States is considered as a country that does not ensure an adequate level of protection to personal data under European Union legislation.

However, in October 2015, the European Court of Justice declared the Safe Harbor invalid, pushing the EU and the US to find an alternative solution which could be of assistance to a flow of data amounting up to $ 250 billion in international trade. In light of such amount of investments and in order to allow companies transferring data from the EU to the US to avoid more time consuming and costly arrangements, the EU Commission and the US Government discussed the issue at length.

Finally the final draft of the Privacy Shield was approved, but the saga might not be over!

In fact, prior to any formal approval, Article 29 Working Party issued – a couple of months ago – a press release which welcomed the significant improvements brought by the Privacy Shield compared to the Safe Harbor decision, but, at the same time, declared that the adequacy decision does not go far enough in offering EU citizens satisfactory level of protection.

Is the Privacy Shield already over?

The Privacy Shield is now a valid legal basis for the transfer of personal data between the EU and the U.S. However this scenario might not be stable. The Privacy Shield might in fact face legal challenges based on the continuous mass surveillance allowed to the US.

The Italian Data Protection Authority has not yet commented on the approval of the Privacy Shield, but it has been stressing the fact that a coordinate action at a European data protection supervisory authorities level would be appreciated in order to assess the best way to identify common guidelines.

For the time being, the EU Standard Model Clauses are still the best choice for data transfer outside of the EU and countries approved by the EC as providing an adequate level of data protection.