Good news for businesses on both sides of the Atlantic; the EU-U.S. Privacy Shield has started to operate on 1 August 2016, following the formal adoption by the European Commission on 12 July 2016. The Privacy Shield allows for the transfer of personal data from the EU to the U.S. In this blog post, we summarize the most important facts that you need to know about the Privacy Shield.
Dataflow does not know borders in today’s digital economy. Thus it is vital that privacy laws enable the cross-border transfer of personal data and, at the same time, ensure a high level of protection for the data of individuals. The EU-U.S. Privacy Shield aims at facilitating such needs and requirements with respect to the EU and U.S., replacing the Safe Harbour framework, which was invalidated in October 2015 by the Court of Justice of the European Union, in a “David v Goliath” data protection case, where an Austrian law student successfully relied on his privacy rights against Facebook (see our earlier blogpost on the case here).
The Privacy Shield encompasses a number of principles, which aim at providing adequate level of protection for the personal data of European citizens transferred to entities operating in the U.S., including questions such as onward transfers, purpose limitation and enforcement. American companies must, in order to benefit from the possibility of transatlantic data transfers under the Privacy Shield, adhere to the principles of the Shield mechanism that will be binding on them and will be enforceable against them in case of non-compliance. The U.S. Department of Commerce registers the companies that undertake the strict obligations imposed by the Privacy Shield via a self-certification mechanism. U.S. entities self-certifying until 30 September will be granted a nine-month grace period to comply with the Privacy Shield principles. The list of registered companies is available here.
Moreover, the U.S. has undertaken certain commitments under the Privacy Shield regarding its intelligence activities leading to the invalidation of the Safe Harbor framework (after Edward Snowden’s leaks), including the establishment of an ombudsperson mechanism in order to handle the complaints of European citizens against U.S. public authorities. The European Commission has issued a guide for European citizens regarding their rights under the EU-U.S. Privacy Shield.
It is yet too early to tell whether the Privacy Shield is going to be a successful instrument or not. A number of American companies have already self-registered and among few of the registered companies there are large and important players such as Microsoft, Salesforce and Workday. However, the data protection authority of Hamburg is already planning to challenge the legality of the EU-U.S. Privacy Shield with the Court of Justice of the EU, but, as of today and until the court rules otherwise, one can rely on the Privacy Shield as an alternative for lawful transatlantic transfers.