Privacy Shield Formally Adopted: Self-Certifications Start August 1, 2016
Client Alert | 2 min read | 07.13.16
The European Commission, alongside the U.S. Department of Commerce, on July 12 announced the final adoption of the EU-U.S. Privacy Shield (Privacy Shield), the legal framework that replaces the previously invalidated U.S.-EU Safe Harbor (Safe Harbor) framework for transatlantic data transfers. Companies will be able to self-certify under the new regime starting August 1, 2016.
History of the Negotiation
The European Parliament, as well as a committee of representatives of the EU Member States and their data protection authorities (Article 29 Working Party) initially criticized the Privacy Shield documents and principles first released on February 29, 2016. As a result of the criticism, the European Commission in close cooperation with the U.S. authorities, clarified and improved the initial Privacy Shield documents. On July 8, 2016, the European Union (EU) Member States in their function as the Article 31 Committee approved this amended version of the Privacy Shield.
The amendments include more explicit declarations of the European Commission regarding obligations of companies in relation to limits on personal data retention and onward transfers. The U.S. authorities in turn provided additional clarifications regarding the bulk collection of data, and have strengthened the Ombudsperson mechanism within the U.S. Department of State (a newly formed position created to address EU citizens’ concerns regarding the collection of data for national security purposes).
Future Legal Challenges
Throughout the negotiations, critics have warned of a legal challenge to the Privacy Shield. That criticism continues. Privacy activist Max Schrems as well as EU Member of Parliament Jan-Philipp Albrecht are already on record criticizing the new framework. However, the European Commission leadership stood by their final adequacy finding on July 12 with robust statements supporting their belief in the new framework’s ability to reflect the requirements laid out in the European Court of Justice’s October 2015 judgment ruling Safe Harbor invalid.
The EU data protection authorities are set to meet and discuss the final Privacy Shield documents on July 25, 2016. A resolution of the European Parliament on the Privacy Shield is planned for September 2016. The outcome of both processes may influence future policy or European Court of Justice decisions, but neither body is able to invalidate the European Commission’s Privacy Shield adequacy finding. Though there may be political or legal challenges to the Privacy Shield, the European Court of Justice in its October 2015 judgment made clear that it alone has the authority to invalidate adequacy findings like the one Privacy Shield just received.
Timeline for Implementation
The U.S. Department of Commerce is set to begin accepting applications for self-certification under the Privacy Shield starting August 1, 2016. Until then, companies that want to transfer personal data from the EU to the U.S. must continue using other data transfer mechanisms, such as approved Binding Corporate Rules (BCRs) or EU Standard Contractual Clauses.
Companies that wish to adhere to the new Privacy Shield data transfer framework, whether or not they were previously Safe Harbor certified, should begin to review the Privacy Shield and seek legal advice to discuss changes needed to ensure compliance with the requirements of the new framework.
Contacts
Insights
Client Alert | 1 min read | 07.08.26
CAS Board Publishes Final Rule Rescinding CAS 404, 408, 409, and 4117
As part of its ongoing effort to conform the Cost Accounting Standards (“CAS”) to generally accepted accounting principles (“GAAP”), the CAS Board published a final rule rescinding CAS 408 (Accounting for costs of compensated personal absence) and CAS 411 (Accounting for acquisition costs of material). The CAS Board also rescinded CAS 404 (Capitalization of tangible assets) and CAS 409 (Depreciation of tangible capital assets) but retained certain requirements of CAS 404 and 409, which will be located in new paragraphs of CAS 405 (Accounting for unallowable costs). Specifically, the CAS Board retained the requirements currently located at CAS 404-50(d)(1), CAS 409-50(e)(5), CAS 409-50(j)(1), and CAS 409-50(j)(4), which the CAS Board explained are necessary to protect the Government’s interests. Otherwise, the CAS Board determined that the requirements of CAS 404, 408, 409, and 411 overlapped with GAAP such that GAAP “may be applied reasonably as a substitute for CAS to support contract cost and pricing.”
Client Alert | 1 min read | 07.08.26
Crowell & Moring and Crowell GovCon Strategies at Farnborough International Airshow 2026
Client Alert | 7 min read | 07.08.26
Illinois Imposes Transparency and Safety Obligations on Frontier AI Systems
Client Alert | 10 min read | 07.08.26
Proactive Compliance in Health Care: “Getting Ahead” of Enforcement in 2026 and Beyond



