On July 12, 2016, the European Commission formally adopted the EU-U.S. Privacy Shield to replace the previously invalidated Safe Harbor Framework as an adequate method of transferring personal data from the European Economic Area to the United States. The U.S. Department of Commerce (DOC) will begin processing self-certification applications beginning August 1, 2016.
Since the European Court of Justice invalidated the Safe Harbor Framework on October 6, 2015 in Schrems v. DataProtection Commissioner, the European Commission and the DOC have engaged in intense negotiations to develop an acceptable replacement for Safe Harbor. On February 2, 2016, the parties announced that they had reached an agreement on the replacement, which they named “the EU-U.S. Privacy Shield,” and released details regarding the Privacy Shield on February 29, 2016.
Almost immediately, EU Data Regulators expressed concerns about the Privacy Shield and its lack of details and protections regarding the U.S. government’s ability to conduct mass surveillance of transferred data, the independence of the U.S. ombudsperson who will adjudicate complaints from EU citizens regarding misuse of their data, and the lack of protections regarding data retention and transfers to other companies. As a consequence, the European Commission and DOC resumed negotiations and agreed on the adopted version, which the parties contend addresses these concerns as well as the legal issues raised by the European Court of Justice in the Schrems decision. However Max Schrems, who brought the case that invalidated the Safe Harbor Framework, has announced that he will challenge the Privacy Shield, and the validity of the Privacy Shield is likely to be reviewed in the future by the European Court of Justice.
Next Steps for Employers
Between now and August 1, employers wishing to transfer personal data of EU employees to the United States should revise their data privacy policies and practices to comply with the Privacy Shield requirements. Employers currently using standard contract clauses to transfer personal data from the EU to the United States should consider self-certifying under the Privacy Shield as the Irish Data Protection Authority is challenging the adequacy of standard contract clauses.