On July 12, the European Commission (EC) published an implementing decision (Adequacy Decision) under the EU directive on the protection of individuals with regard to the processing and free movement of personal data (Directive). The Adequacy Decision responds to the uncertainty in relation to transatlantic transfers of personal data introduced by the European Court of Justice findings in October 2015 that the previous EU-US safe harbor framework was invalid. The EC therefore has decided that the new “EU-US Privacy Shield” framework (Privacy Shield) provides an adequate level of protection in the United States for personal data transfers under the Directive. The Privacy Shield consists of principles issued by the US Department of Commerce (Principles), which are contained in annex II of the Adequacy Decision, as well as other letters and mechanisms to safeguard data protection.

The Adequacy Decision is designed to streamline transfers of personal data between the European Union and the United States; however, US organizations wishing to benefit from the Privacy Shield will need to meet certain requirements. Only US–based organizations that self-certify and declare their commitment to the Principles will be included on a list maintained by the US Department of Commerce (List), and only personal data transfers to organizations on the List will benefit from the Privacy Shield (and thus, the Adequacy Decision). Under the Principles, US organizations also will be required to publish their privacy policies and give notice to individuals of their participation in the Privacy Shield, and comply with other requirements in relation to choice, access, security, onward transfer of personal data and independent recourse.

The Adequacy Decision went into effect in the European Union on the date of its announcement, July 12, and will be operative in the United States once the framework is published in the Federal Register. The US Department of Commerce expects to begin accepting self-certifications on August 1.

As noted in the Corporate & Financial Weekly Digest edition of June 24, subject to the post-Brexit relationship agreement between the United Kingdom and the European Union, the United Kingdom may lose the benefit of equivalence decisions and frameworks, such as the Privacy Shield, negotiated on behalf of EU Member States once the United Kingdom formally leaves the European Union.

A copy of the Adequacy Decision can be found here, and associated annexes (including the Principles in annex II), can be found here.

A copy of the EC’s accompanying press release can be found here.