The formal signing of the Privacy Shield marks a critical step in facilitating free-flowing, cross-border transfers of personal data for 4,500 large and small businesses in Europe and the US. The Privacy Shield aims to create a robust and living framework tailored to the digital ecosystem of transatlantic data transfers for businesses and European data subjects alike.
As we previously reported (see here and here), the Privacy Shield is the solution to a major challenge to transatlantic data transfers following the invalidation of the Safe Harbor programme by the Court of Justice of the European Union (CJEU) 8 months ago.
The Privacy Shield promises robust and effective changes to the way in which enterprises transfer personal data and the protections afforded to individual Europeans. Some of the key features of the new scheme include:
- Ombudsman: there will now be a US-based independent ombudsman devoted to the protection of personal data held by European businesses. It has been reported that US official Cathy Novelli will be the first such ombudsman. The ombudsman will invoke the rights of access, erasure and rectification of personal data on behalf of individuals. This is a game-changer for EU-US data flows and will seek to address the CJEU's concerns that 'Safe Harbor' did not provide adequate remedies for privacy violations.
- Government oversight: US companies will be in a position to apply to be registered as self-certified companies as of 1 August 2016 once they have met certain pre-conditions including having a dispute resolution mechanism and a compliant privacy statement in place. Crucially, they will also be regulated by the US Department of Commerce. An added advantage of this system will be that the data processing activities of US companies will be vetted independently, further cementing the protection of personal data protection.
- Ongoing monitoring & reviews: the Privacy Shield aims to provide an effective 'living' framework to safeguard data transfers from Europe to the US, allowing businesses to deal with the personal data of millions of individuals. It will also be subject to annual reviews by EU institutions and US officials to monitor the effectiveness of the mechanism and the commitments provided. European data protection authorities will also engage in ongoing monitoring on the effectiveness of this new framework.
The Privacy Shield will now be translated and published in the Official Journal of the European Union. However, the path ahead may not be straightforward as legal challenges are expected. It is likely that the Privacy Shield will be referred to the CJEU for an assessment as to the 'adequacy' of the Privacy Shield and whether it actually provides protection that is essentially equivalent to EU standards of data protection.
Businesses considering applying for the new scheme will be closely monitoring developments in the coming weeks and months particularly in light of the current Irish High Court case of Schrems II (see our previous article here).