Yesterday, the European Commission adopted the EU-US Privacy Shield, the new framework to protect the fundamental rights of data subjects whose personal data are transferred from the EEA to the United States. The EU-US Privacy Shield is the successor of Safe Harbour, which had been declared invalid by the Court of Justice of the European Union (CJEU) in the “Schrems” case in October 2015. As a result, many companies operating internationally had to either stop sending personal data collected in the EEA to the US, or to look for an alternative legal basis to legitimize their data exports.
An initial agreement with the US authorities had been reached in February of this year, but the agreement was criticized by several stakeholders. The European Commission is confident that the amended agreement reflects the requirements set out by the CJEU in the “Schrems” case (sufficient guarantees against access to “European” personal data by the NSA and other US security agencies, and any effective judicial redress mechanisms for EU citizens in case of an infringement of their rights).
US companies who wish to receive personal data from the EEA will be able to apply for certification under the Privacy Shield as from 1 August 2016. Certification under the Shield will be considered to provide adequate protection (for the transfer of) of EEA personal data. The certification will have to be renewed every year, and the US Department of Commerce will actively monitor and verify that companies’ privacy policies are in line with the relevant Privacy Shield principles.
The adoption of the Shield brings an end – at least temporarily – to the practical void and the uncertainty resulting from the invalidation of Safe Harbour. The relief may however be temporary. It is indeed not excluded that the Shield will also be challenged before the CJEU. The EU model clauses and Binding Corporate Rules – alternatives for transferring data outside the EEA – are currently also under attack.
In any case, for the time being, the Shield is a welcome and viable solution for transferring personal data to the United States.