Following two and half years of negotiation, on 12 July 2016 the European Commission formally approved the EU-U.S. Privacy Shield (the “Privacy Shield”) as a mechanism for governing the transfer of personal data between the European Union and the United States for commercial purposes. The framework replaces its predecessor, Safe Harbor, which was invalidated in October 2015 for failing to meet EU data protection standards, in large part due to concerns that data transfers were subject to mass surveillance by the US Government.

The Privacy Shield significantly changes data protection law in three areas:

  1. Imposing strong obligations on companies handling and transferring personal data;
  2. Protecting the fundamental rights of individuals and giving them clear and affordable mechanisms to take action against businesses which do not comply; and
  3. Setting out limitations and safeguards on US Government access to personal data.

Since 1 August 2016, U.S. companies have been able to “self-certify” under the Privacy Shield with the U.S. Department of Commerce by filing an online registration, application and supporting documentation. The Department of Commerce then actively verifies each company’s privacy policy and continues to monitor these, maintaining an updated list of Privacy Shield members that is available to the public.

The approval of the framework ends months of uncertainty for UK businesses that transfer data across the Atlantic. Even with Brexit on the horizon, the Information Commissioner has already said that the UK may have to adopt the EU data protection rules in order to trade with Europe post-Brexit. If not already underway, businesses are now advised to review their data transfers to the U.S. to ensure that they are compliant, by either utilising the Privacy Shield or one of the other available mechanisms or derogations for legitimising the transfers.

Examples of how this might affect retailers include:

  • use of US-hosted cloud solutions such as Salesforce CRM to manage customer data;
  • use of US-based infrastructure providers to host the personal information of consumers who enter a competition. This may occur with your full knowledge where you have retained the service provider, or it may happen inadvertently where you retain an agency to manage the promotion, who then subcontract the hosting.