1. Home
  2. |Insights
  3. |Privacy Shield Formally Adopted: Self-Certifications Start August 1, 2016

Privacy Shield Formally Adopted: Self-Certifications Start August 1, 2016

Client Alert | 3 min read | 07.13.16

The European Commission, alongside the U.S. Department of Commerce, on July 12 announced the final adoption of the EU-U.S. Privacy Shield (Privacy Shield), the legal framework that replaces the previously invalidated U.S.-EU Safe Harbor (Safe Harbor) framework for transatlantic data transfers. Companies will be able to self-certify under the new regime starting August 1, 2016.

History of the Negotiation

The European Parliament, as well as a committee of representatives of the EU Member States and their data protection authorities (Article 29 Working Party) initially criticized the Privacy Shield documents and principles first released on February 29, 2016. As a result of the criticism, the European Commission in close cooperation with the U.S. authorities, clarified and improved the initial Privacy Shield documents. On July 8, 2016, the European Union (EU) Member States in their function as the Article 31 Committee approved this amended version of the Privacy Shield.

The amendments include more explicit declarations of the European Commission regarding obligations of companies in relation to limits on personal data retention and onward transfers. The U.S. authorities in turn provided additional clarifications regarding the bulk collection of data, and have strengthened the Ombudsperson mechanism within the U.S. Department of State (a newly formed position created to address EU citizens’ concerns regarding the collection of data for national security purposes).

Future Legal Challenges

Throughout the negotiations, critics have warned of a legal challenge to the Privacy Shield. That criticism continues. Privacy activist Max Schrems as well as EU Member of Parliament Jan-Philipp Albrecht are already on record criticizing the new framework. However, the European Commission leadership stood by their final adequacy finding on July 12 with robust statements supporting their belief in the new framework’s ability to reflect the requirements laid out in the European Court of Justice’s October 2015 judgment ruling Safe Harbor invalid.

The EU data protection authorities are set to meet and discuss the final Privacy Shield documents on July 25, 2016. A resolution of the European Parliament on the Privacy Shield is planned for September 2016. The outcome of both processes may influence future policy or European Court of Justice decisions, but neither body is able to invalidate the European Commission’s Privacy Shield adequacy finding. Though there may be political or legal challenges to the Privacy Shield, the European Court of Justice in its October 2015 judgment made clear that it alone has the authority to invalidate adequacy findings like the one Privacy Shield just received.

Timeline for Implementation

The U.S. Department of Commerce is set to begin accepting applications for self-certification under the Privacy Shield starting August 1, 2016. Until then, companies that want to transfer personal data from the EU to the U.S. must continue using other data transfer mechanisms, such as approved Binding Corporate Rules (BCRs) or EU Standard Contractual Clauses.

Companies that wish to adhere to the new Privacy Shield data transfer framework, whether or not they were previously Safe Harbor certified, should begin to review the Privacy Shield and seek legal advice to discuss changes needed to ensure compliance with the requirements of the new framework.

Insights

Client Alert | 2 min read | 11.20.24

CBCA Denies the Government’s Motion for Summary Judgment Based on an Issue of Fact Regarding the Contractor’s Reservation of Rights via a Transmission Email

In Fortis Industries, Inc., CBCA 7967 (Sept. 18, 2024), the Civilian Board of Contract Appeals (CBCA) denied in part the government’s motion for partial summary judgment on the issue of whether the contractor released its claims by signing a modification terminating the contract for convenience. During contract performance, the General Services Administration (GSA) imposed monthly deductions to contract payments as a response to certain performance issues. GSA later proposed to terminate the contract for convenience and sent a contract modification stating that all obligations under the contract were concluded except payment for work performed in June 2022. The contractor signed the modification but stated in its transmittal email that it was owed payment for services in May 2022 as well. ...