On Tuesday the European Commission adopted the EU-U.S. Privacy Shield
Current status and next steps
According to EU Commission’s press release the „adequacy decision“, the formal legal act of the Commission on E.U. side, was notified on Tuesday to the Member States and thereby entered into force immediately.
On the U.S. side, the U.S. Department of Commerce will start operating the Privacy Shield. Companies will be able to certify with the Commerce Department starting 1 August.
What can I do now?
If you are a U.S. company recieving personal data from the E.U. and if you wish to make use of the EU-U.S. Privacy Shield you should review the framework and update your compliance accordingly where necessary. From 1 August on you will be able to certify under the new EU-U.S. Privacy Shield principles with the U.S. Commerce Department.
If you are a EU based company exporting data to U.S. companies and wish to do so under the new EU-U.S. Privacy Shield principles you should contact your U.S. business partner and encourage him to certify with the U.S. Commerce Department, which will be possible form 1 August on. Further, you should monitor your local Data Protection Authorities Guidelines and instructions. In your own interest you should ensure that all requirements are met before transferring data under the new EU-U.S. Privacy Shield.
As the data exporter you will remain responsible and liable for compliance with the new framework when exporting personal data to the U.S.
Is the EU-U.S. Privacy Shield for eternity now?
Probably not. Privacy activists and EU DPAs doubt that the EU-U.S. Privacy Shield complies with the requirements oft he ECJ set out in the Schrems-ruling of 6 October 2015 that invalidated the Safe Harbor principles. It is likely that activists will challange data transfer based on the EU-U.S. Privacy Shield in court and Member State courts will refer such cases to the ECJ.
After the invalidation oft he „Safe Harbor“ principles by the ECJ ruling of 6. October 2015 the European Commission and the U.S. Government reached on 2 February 2016 a political agreement on a new framework for transatlantic exchanges of personal data for commercial purposes, known as the EU-U.S. Privacy Shield. The Commission presented the draft decision texts on 29 February 2016. Following the opinion of the article 29 working party (data protection authorities) of 13 April and the European Parliament resolution of 26 May, the Commission finalised the adoption procedure on 12 July 2016.
Links to official information and documents