On 12 July 2016, the European Commission adopted the EU-US Privacy Shield. The Privacy Shield will replace the old 'Safe Harbour' process of transferring personal data, which the European Court of Justice invalidated, following a legal challenge from Maximillian Schrems, in October 2015. The Privacy Shield will govern the basis upon which personal data can be transferred between the EU and U.S.

A prolonged period of negotiations between the EU and the US has been required to agree on a new framework. This framework protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States as well as introducing legal clarity for businesses relying on transatlantic data transfers.

The EU-US Privacy Shield is based on the following principles:

  1. Strong obligations on companies handling data: Authorities will conduct regular reviews of participating companies to ensure compliance, and if they do not comply, they will face sanctions or exclusion.

  2. Government oversight: The US has given the EU assurances that the access by public authorities for law enforcement and national security purposes is subject to clear limitations, safeguards and oversight mechanisms.

  3. Annual joint review: The European Commission and the US Department of Commerce will conduct an annual review with the aid of national intelligence experts from the US and European Data Protection Authorities.

  4. Effective protection of individual rights: Any citizen who considers that their data has been misused will benefit from several accessible dispute resolution mechanisms. A new Ombudsperson, who will be independent from the US intelligence community, will be available to deal with certain matters.

It remains to be seen if the new framework meets the Schrems criteria. While there are certain improvements, the path ahead may not be straightforward as further legal challenges are expected. There is still a lack of certainty for companies and, as such, legal advice should be taken before any transatlantic transfer of personal data.