Following support from the majority of EU Member States, the European Commission has issued an adequacy decision formally adopting the EU-US Privacy Shield. The framework arrangement was finalised with the US Department of Commerce in June of this year and concerns measures aimed at legitimising the trans-Atlantic transfer of European personal data to the US. The long awaited Privacy Shield replaces the old Safe Harbor framework, which was invalidated by the European Court of Justice in October 2015.
As well as imposing tougher obligations and more rigorous procedural requirements on US companies handling data relating to European citizens, the Privacy Shield safeguards and adds transparency obligations in relation to the US government’s access to transferred data. It includes new rules requiring the deletion of data and places limitations on onwards transfers to third parties. The new arrangement also provides a free dispute resolution mechanism allowing European citizens to raise complaints about the abuse of their personal data, creates an independent US Ombudsman to address these concerns and implements an annual joint review mechanism in order to monitor its ongoing functionality.
The Department of Commerce will begin accepting certifications of compliance from 1 August. While several US companies have already publically indicated their intent to apply for Privacy Shield status, it is likely that the arrangement will face further challenges in the courts by those who believe that it does not provide sufficient improvements to the Safe Harbor regime, particularly in relation to mass surveillance by US law enforcement and national security agencies.