A critical decision today by European Union privacy officials ends the era of uncertainty for the 4,000 plus U.S.-based companies and the thousands of EU-based companies that formerly relied on the U.S.-EU Safe Harbor Framework to legally transfer personal data to the United States.
In formally adopting the EU-U.S. Privacy Shield on July 12, 2016, the EU Commission cleared the final legal hurdle for the substitute data transfer mechanism to go into effect. To that end, companies that wish to participate in the Privacy Shield may begin the self-certification process with the Department of Commerce starting August 1, 2016.
But perhaps more significant to the future of transatlantic business and data flows was today’s decision by the Article 29 Working Party ("WP 29"), comprised of representatives from the data protection authorities ("DPAs") of the 28 EU Member States, to withhold judgment on the adequacy of the replacement framework until at least the summer of 2017. Though having no legal effect, the WP 29’s public pronouncement is crucial, as it removes the final clouds of uncertainty hovering over the data transfer mechanism (at least for a time) and clears the path to participation for companies that had been on the fence since the infamous Schrems decision.
Now companies that were concerned that participation would be short-lived because the new framework would suffer the same fate as the Safe Harbor and be invalidated by the EU courts, can devote resources to compliance with the Privacy Shield without the fear that the DPAs in the various EU Member States are going to attack their participation in the new regime. Companies that participate are deemed to provide "adequate" privacy protection for the transfer of personal data outside of the EU under the EU’s Data Protection Directive.
Instead of poking holes in the framework from the sidelines and fanning the flames of those who feel the new regime does not go far enough, the WP 29 is going to let the process unfold as intended by the U.S. and EU authorities, who will be required to sit down on an annual basis to evaluate the successes and failures of the data transfer pact. The WP 29 has indicated that it will wait until the European Commission has completed its first annual review of the data transfer pact before it revisits the issue of whether the presumed level of privacy protection afforded to EU citizens under the Privacy Shield is "adequate." Companies that wish to participate should now turn their sights on making sure they are in a position to self-certify as soon as possible, but in any event, no later than September 30, 2016. This is because companies that sign up by that date will be given a nine month reprieve by which to bring their contracts with third parties vendors into compliance with Privacy Shield principles.