Privacy Shield Formally Adopted: Self-Certifications Start August 1, 2016

The European Commission, alongside the U.S. Department of Commerce, on July 12 announced the final adoption of the EU-U.S. Privacy Shield (Privacy Shield), the legal framework that replaces the previously invalidated U.S.-EU Safe Harbor (Safe Harbor) framework for transatlantic data transfers. Companies will be able to self-certify under the new regime starting August 1, 2016.

History of the Negotiation

The European Parliament, as well as a committee of representatives of the EU Member States and their data protection authorities (Article 29 Working Party) initially criticized the Privacy Shield documents and principles first released on February 29, 2016. As a result of the criticism, the European Commission in close cooperation with the U.S. authorities, clarified and improved the initial Privacy Shield documents. On July 8, 2016, the European Union (EU) Member States in their function as the Article 31 Committee approved this amended version of the Privacy Shield.

The amendments include more explicit declarations of the European Commission regarding obligations of companies in relation to limits on personal data retention and onward transfers. The U.S. authorities in turn provided additional clarifications regarding the bulk collection of data, and have strengthened the Ombudsperson mechanism within the U.S. Department of State (a newly formed position created to address EU citizens’ concerns regarding the collection of data for national security purposes).

Future Legal Challenges

Throughout the negotiations, critics have warned of a legal challenge to the Privacy Shield. That criticism continues. Privacy activist Max Schrems as well as EU Member of Parliament Jan-Philipp Albrecht are already on record criticizing the new framework. However, the European Commission leadership stood by their final adequacy finding on July 12 with robust statements supporting their belief in the new framework’s ability to reflect the requirements laid out in the European Court of Justice’s October 2015 judgment ruling Safe Harbor invalid.

The EU data protection authorities are set to meet and discuss the final Privacy Shield documents on July 25, 2016. A resolution of the European Parliament on the Privacy Shield is planned for September 2016. The outcome of both processes may influence future policy or European Court of Justice decisions, but neither body is able to invalidate the European Commission’s Privacy Shield adequacy finding. Though there may be political or legal challenges to the Privacy Shield, the European Court of Justice in its October 2015 judgment made clear that it alone has the authority to invalidate adequacy findings like the one Privacy Shield just received.

Timeline for Implementation

The U.S. Department of Commerce is set to begin accepting applications for self-certification under the Privacy Shield starting August 1, 2016. Until then, companies that want to transfer personal data from the EU to the U.S. must continue using other data transfer mechanisms, such as approved Binding Corporate Rules (BCRs) or EU Standard Contractual Clauses.

Companies that wish to adhere to the new Privacy Shield data transfer framework, whether or not they were previously Safe Harbor certified, should begin to review the Privacy Shield and seek legal advice to discuss changes needed to ensure compliance with the requirements of the new framework.