The Privacy Shield

The Privacy Shield replaces the Safe Harbour agreement which was held to be invalid in October 2015 by the Court of Justice of the European Union. This followed Edward Snowden's leaks which provided evidence of the US National Security Agency’s mass surveillance of private data relating to European citizens.

Since its first publication in February 2016, the Privacy Shield has undergone significant changes, not least to address the Article 29 Working Party’s (WP29) "strong concerns" raised in its April 2016 Opinion of the February draft.

Changes made to the February draft of the Privacy Shield include:

  • clarifications about when bulk surveillance will be authorised
  • a requirement for companies to delete personal data that no longer serves the purpose for which it was collected
  • a requirement that a third party company processing data on behalf of a Privacy Shield-certified organisation must guarantee the same level of protection as the Privacy Shield company itself
  • clarifications with regard to the role of the independent Ombudsman, including that the US Secretary of State will be responsible for making certain that the Ombudsman has the means to ensure that its response to individual requests is based on all the necessary information.

The Privacy Shield provides a benchmark for self-certification so that companies wishing to export personal data from the EEA to the US do so in accordance with fundamental rights of EU data subjects, as set out in European data protection law.

What does the Privacy Shield do?

It imposes obligations on US companies in order to protect EU citizens’ personal data and is based on the following principles:

  • strong obligations on companies handling data including regular updates and reviews of participating companies conducted by the US Department of Commerce
  • the tightening of conditions for onward transfers of data from Privacy Shield companies to third parties to guarantee the same level of protection provided by the Privacy Shield
  • clear safeguards and transparency obligations on US government access including EU redress mechanisms
  • accessible and affordable dispute resolution mechanisms for individuals who consider that their data has been misused under the Privacy Shield scheme including free of charge alternative dispute resolution mechanisms and the creation of a role for a US Ombudsman independent of the US intelligence services
  • an annual joint review by the European Commission and the US Department of Commerce to monitor the functioning of the Privacy Shield.

What are the concerns with the new Privacy Shield?

Not all representatives of the European Union member states voted in favour of the Privacy Shield. Countries including Austria and Slovenia abstained, expressing concerns that the pact does not do enough to protect their citizens’ data.

Industry groups have been mixed in their response. The Digital Europe industry group, which represents global technology firms such as Google and Apple, has welcomed the decision. However, some groups (eg Privacy International) still have concerns about US national security, suggesting that it would be impossible to guarantee the promises set out in the Privacy Shield without changes to US Federal Law.

On the 26 July the WP29 issued a statement on the decision of the European Commission on the Privacy Shield. Whilst acknowledging the changes made to the test of Privacy Shield by the Commission and the US authorities, the WP29 highlighted that some of the concerns it expressed in its April opinion remain, for example that, in its view, the controls around the independence and powers of the Ombudsman mechanism could be tighter. The WP29 stressed the importance of the first annual review and the role that its national representatives will play in assessing "not only if the remaining issues have been solved but also if the safeguards provided under the EU-US Privacy Shield are workable and effective". The WP29 goes on to note that the results of the first review may also impact other transfer tools, such as Binding Corporate Rules and the Standard Contractual Clauses.

What happens now?

The Privacy Shield became operational on 12 July after the Commission issued its ‘adequacy decision’ declaring the Privacy Shield an adequate protection of EU citizens’ data protection rights.

To join the Privacy Shield an organisation must:

  • fall under the enforcement authority of the Federal Trade Commission or another US agency that can ensure compliance
  • publicise its commitment to adhere to the Privacy Shield’s principles
  • publicly disclose its privacy policy
  • implement the Privacy Shield’s principles.

Once eligible companies have reviewed the framework and updated their compliance, they will be able to certify with the Department of Commerce. Self-certification was opened up for US companies on 1 August 2016. In parallel, the European Commission will publish a short guide for citizens explaining the available remedies in case an individual considers that his personal data has been used without taking into account the data protection rules.

Will Brexit have an impact?

Should the UK press ahead with plans to leave the EU, the UK will have to consider how it will negotiate data transfers to and from the UK and the US. The Commission has the power to determine whether a third country ensures an adequate level of protection by reason of its domestic law or of the international commitments it has entered into. The effect of such a decision is that personal data can flow from the EU and EEA to that third country without any further safeguard being necessary. The Information Commissioner’s Office has made it clear that the UK would have to "prove 'adequacy'" to trade in the EU post-Brexit. A 'Privacy Shield' equivalent between the US and the UK would be likely to play a significant part in such a finding of ‘adequacy’.