Privacy Shield up and running
EU-US Privacy Shield
27 April 2017
Facilitating transfers of personal data between the EU and the U.S.
On 12 July 2016 the European Commission adopted the final version of the EU-U.S. Privacy Shield, which enables the transfer of personal data between the EU and the U.S. The Privacy Shield replaces the Safe Harbor arrangement, which was invalidated by the European Court of Justice in October 2015. Corporations are allowed to sign up for Privacy Shield since 1 August 2016. Companies such as Google, Microsoft, Salesforce or Oracle are amongst those that have been certified.
Valid legal basis for data transfer to the US
The European Commission has adopted the Privacy Shield pursuant to a so-called "adequacy decision", an instrument through which it can allow the transfer of personal data to a country outside the European Economic Area (EEA) on the basis that the recipient country ensures an adequate level of protection for the transferred data.
Transfers of personal data to companies in the U.S. that certify to and comply with the requirements of the Privacy Shield are now regarded as providing an adequate level of protection and, therefore, do not breach EU restrictions on the international transfers of personal data.
The Privacy Shield does not apply to data transfers to jurisdictions other than the U.S., nor to transfers to U.S. companies who do not participate in the Privacy Shield. Participation is only available to U.S. companies that are regulated by the U.S. Federal Trade Commission or Department of Transportation and is not, therefore, available to (for example) financial institutions.
The Privacy Shield consists of Privacy Principles that companies must abide by and commitments by the U.S. government on how the arrangement will be enforced and more widely on the exercise of its own risks of access to personal data transferred from the EEA. The arrangement imposes strong obligations for companies in the U.S. handling data from the EEA, including strict conditions for onward transfers. U.S. companies will be subject to oversight mechanisms to ensure compliance. There are safeguards and transparency obligations regarding U.S. government access, including written assurance from the U.S. government that data access by its agencies will be subject to defined limitations. European citizens who consider that their data have been misused will have several redress possibilities. The functioning of the Privacy Shield and U.S. commitments will be reviewed annually, so that the European Commission can take appropriate measures to continue ensuring an adequate level of protection.
How does it work?
Like the former Safe Harbor framework, the Privacy Shield is based on self-certification. As part of this certification, companies in the U.S. must commit to the Privacy Principles. Compliance with the Privacy Principles entails, amongst other things that U.S. companies will need to comply with information and purpose limitation requirements, take security measures and grant individuals access rights to their data. Companies must also make their privacy policies public and provide links to (i) the website of the U.S. Department of Commerce, (ii) the Privacy Shield List, and (iii) the website of an appropriate alternative dispute settlement provider. Each certification must be renewed annually. The U.S. Department of Commerce will maintain the public Privacy Shield List of participating companies.
The Privacy Shield entered into force on 12 July 2016 and is fully operational since 1 August 2016, with more than 200 companies who have been certified within two months. In parallel, the Commission has published a short guide for citizens, explaining the available remedies in case an individual considers that his or her personal data has been used without taking into account the data protection rules.
The Privacy Shield still faces criticism from privacy activists on the basis that it does not adequately protect EU personal data from U.S. governmental access and further legal challenge may follow. One of the alternatives is to use the standard EU Model Contracts for the transfer of personal data outside the EEA, including to the U.S., although these are also subject to challenge, in a case that has already been referred to the EU Court of Justice. For now, the Privacy Shield is a valid legal basis for data transfers to the U.S.
Companies with U.S. operations that are eligible to join may therefore wish to consider joining. Furthermore, if you use or are looking to use U.S. service providers who process personal data on your behalf, consider discussing with them whether they plan to self-certify to the Privacy Shield – for the time being, at least, it may be more secure than the EU Model Contracts as a mechanism for justifying transfer of personal data to the U.S. It also has the advantage that it does not require prior approval of a data protection authority in any EEA member state, while several member states still only recognise the Model Contracts based on pre-approval.