Yesterday, the EU-US Privacy Shield was approved, and US organizations will be able to certify compliance with its principles and receive personal data from EU-based organizations beginning on August 1, 2016. In their LawFlash (EU-US Privacy Shield Approved), partners Pulina Whitaker, Gregory Parks, Reece Hirsch, and Mark Krotoski examine the implications of this new option for transatlantic data transfers. Since the landmark decision of the European Court of Justice (ECJ) in Maximillian Schrems v. Data Protection Commissioner that invalidated the Safe Harbor program, personal data transfers from the European Union to the United States have been in a state of uncertainty. Although the European Commission considers the United States to be a country with “inadequate” data protection laws, US organizations that certify compliance with the EU-US Privacy Shield principles will be able to receive personal data from EU-based organizations without specific consent or any agreements in place with EU data exporters.
Earlier this year, the Article 29 Working Party expressed concerns that the draft adequacy decision did not give enough protection to European citizens. In connection with the new Privacy Shield decision, the European Commission has announced that US authorities have given sufficient assurances regarding personal data access, use, and protection by public authorities.
Given the uncertainty surrounding the United Kingdom’s referendum decision to leave the European Union, the EU-US Privacy Shield may have Brexit implications, including that the United Kingdom may decide to adopt a similar model for data transfers from the United Kingdom to the United States. Our Brexit Resource Centre will continue to provide guidance on the legal and business implications of the United Kingdom’s decision to leave the European Union.