Liisa Thomas, chair of Winston & Strawn’s Privacy and Data Security Practice, was quoted in Data Guidance’s article “International: Privacy Shield Adequacy Decision ‘Only a Step’ Towards Success” published on July 14, 2016. The article discusses the European Commission’s recently adopted adequacy decision and whether companies should take additional precautionary steps or rely solely on the Privacy Shield framework.
According to the article, the EU Commissioner for Justice, Consumers and Gender Equality, and U.S. Secretary of Commerce, recently announced that the adequacy decision had been adopted by the European Commission (the Commission). The article states that according to the Commission, the Privacy Shield reflects the requirements set out by the Court of Justice of the European Union (CJEU), which announced the Safe Harbor framework invalid. The Privacy Shield, composed of the adequacy decision and accompanying annexes, is now officially the new framework designed to protect personal data transferred from the EU to the U.S., as well as to ensure legal clarity for businesses relying on transatlantic data transfers.
The article states that since its introduction, the Privacy Shield has received a number of requests for improvements from the European Data Protection Supervisor, the Article 29 Working Party, and the European Parliament. In response, the Commission amended the initial version to include additional assurances regarding bulk collection, the independency of the Ombudsperson mechanism, the redress mechanisms available to EU citizens, and the provisions regarding the retention of data.
“U.S. companies will want to think carefully about the Privacy Shield before participating. While there are certainly benefits, it is of concern that the adequacy decision calls on the Commission to re-evaluate the decision annually. It is possible that the program may change regularly, which could make compliance more burdensome,” said Ms. Thomas.
Ms. Thomas further noted that companies considering participating may want to do so before 1 October 2016 to take advantage of the nine month grace period for addressing the contractual requirements for existing contracts. After that date, companies will not be able to take advantage of it.
“Companies who are moving forward with the Privacy Shield would be well served to have a playbook or other internal guidance document in place to make sure they understand how they will continue to fulfill the Privacy Shield's obligations on an ongoing basis,” she said.