On July 12, 2016, the European Commission (Commission) formally adopted the EU-US Privacy Shield (Privacy Shield) by issuing its adequacy decision, providing a new structure for cross-border data transfers from the European Union (EU) to the United States.
The Privacy Shield was developed after the Commission’s previous adequacy decision regarding the Safe Harbour framework was declared invalid by the Court of Justice of the EU. Following extensive negotiations, which considered concerns and recommended changes from the Article 29 Working Party, the Commission and the United States reached an agreement on the terms of the Privacy Shield.
How does the Privacy Shield Work?
The Privacy Shield consists of a variety of measures, including:
- More Robust Privacy Terms and Protections: Participating companies will be subject to stronger data protection obligations that will be monitored and enforced by United States authorities. This includes limitations on the retention of personal information, access to personal information in the context of law enforcement or national security, and the collection of personal information in bulk.
- Regular Monitoring and Review: The Commission and the United States government will meet annually to review the adequacy of the mechanisms in place. Companies utilizing the Privacy Shield will be subject to regular review by the United States Department of Commerce relating to their compliance with the data protection rules, and those that do not comply will face sanctions.
- More Comprehensive Redress Mechanisms: EU citizens who are concerned about the handling of their personal information will be provided with better and more easily accessible mechanisms for redress. Individuals will have a variety of methods to seek redress, including the ability to lodge complaints with the applicable private company, the United States Department of Commerce or the Privacy Shield panel.
Companies who wish to participate now have the opportunity to review the framework and update their compliance accordingly. To register to be on the Privacy Shield list, United States companies must self-certify that they meet and will comply with the standards of data protection set out in the Privacy Shield. Compliant companies will be able to certify with the Department of Commerce beginning on August 1, 2016 and must renew their certification annually. The United States government has committed to maintain a current list of Privacy Shield members and ensure that companies that are removed from the Privacy Shield list will be subject to its terms until they no longer retain personal information. The European Commission will be producing a guide for the public to clarify the parameters of the Privacy Shield and explain redress options available.