Earlier today the European Union and U.S. officials announced the final approval of the EU-U.S. Privacy Shield data transfer agreement (“the Privacy Shield”). Beginning August 1, 2016, organizations based in the U.S. will be able to self-certify their compliance with the Privacy Shield.
The Privacy Shield is meant to replace the EU-U.S. Safe Harbour agreement which was invalidated on October 6, 2015, by the Court of Justice of the European Union’s (CJEU) ruling in Schrems v. Data Protection Commissioner. Post Schrems, U.S. companies have been unclear what to do to transfer data out of the EU in a compliant manner. The final approval of the Privacy Shield should provide some measure of comfort to the 4,400 U.S. companies who previously relied on the Safe Harbour agreement.
Today’s announcement was not unexpected as the EU and U.S. had previously agreed on changes to address many of the concerns expressed with the original draft of the Privacy Shield. Following the announcement, the European Commission also made public the final amended text of the agreement, as well as annexes and a fact sheet on the Privacy Shield.
The European Commission’s decision takes immediate effect, but companies will be given until August 1 to review the Privacy Shield to enable a “smooth transition” according to the U.S. Secretary of Commerce, Penny Pritzker.