On July 8, 2016, EU Member State representatives on the Article 31 Committee approved the EU-U.S. Privacy Shield ("Privacy Shield"), paving the way for the European Commission to formally adopt an adequacy decision for this critical trans-border data flow arrangement. Once adopted, the Privacy Shield will serve as a new legal mechanism for transatlantic personal data flows.
Privacy Shield Overview
The EU Commission issued a draft adequacy decision and related documents in February that contained the legal framework for Privacy Shield. The Privacy Shield is different than its predecessor, the U.S.-EU Safe Harbor Arrangement, in that Privacy Shield contains more robust commercial data privacy terms and protections, but perhaps more fundamentally, it also reflects a much broader and deeper array of legal protections in the United States on issues of government surveillance for law enforcement and national security purposes. In addition, Privacy Shield includes additional redress mechanisms, including "backstop" arbitration for individual data subjects, and a State Department Ombudsperson office to handle complaints about national security surveillance issues. Our detailed analysis of the Privacy Shield obligations and framework is available here.
The Article 31 Committee approval represents one of the final steps concluding months of intense negotiation between EU and U.S. officials. In particular, both members of the EU Parliament and EU data protection authorities noted the substantial improvements provided by the Privacy Shield in comparison to Safe Harbor, but nonetheless voiced concerns over the level of protection provided by the Privacy Shield and encouraged negotiators to strengthen its requirements. Now that the Privacy Shield has been approved by the Article 31 Committee, the EU Commission is expected to issue a final adequacy decision shortly. This final decision implementing the agreement is expected to enhance the original EU-U.S. Privacy Shield framework released by the Commission this February on a few key issues, including assurances on specific government surveillance issues.
With adoption appearing imminent, companies should assess Privacy Shield's impact on their EU-U.S. data transfer strategy. In particular, there is a limited "grace period" available in that companies that self-certify within two months of Privacy Shield's effective date will be given a ninth month transitional period to address relationships with third parties. Companies that have maintained their Safe Harbor certifications should accordingly consider whether to develop a transition strategy to Privacy Shield, and others should consider whether adoption of Privacy Shield would make sense given their industry sector, customer demands, and business model.
Going forward, Privacy Shield itself is likely to be subject to legal challenges in court by privacy advocates or others, as was its predecessor, the Safe Harbor. However, it is expected that the European Commission will be able to mount a materially stronger defense to any such challenges on the basis of the many improvements to the protections in Privacy Shield. In addition, companies should remain attentive to other developments, such as the Irish Data Protection Authority's referral of the EC standard contractual clauses to the European Court of Justice, as part of the larger trends affecting transatlantic commerce and data transfers.