On 2 February 2016 the European Commission and the U.S. Government reached a political agreement on a new framework for transatlantic exchanges of personal data for commercial purposes: the EU-U.S. Privacy Shield (see IP/16/216). The Commission presented the draft decision texts on 29 February 2016. Following the opinion of the article 29 working party (data protection authorities) of 13 April and the European Parliament resolution of 26 May, the Commission finalised the adoption procedure on 12 July 2016.
The EU-U.S. Privacy Shield Framework was designed by the U.S. Department of Commerce and European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce. On July 12, the European Commission deemed the Privacy Shield Framework adequate to enable data transfers under EU law.
The Privacy Shield program, which is administered by the International Trade Administration (ITA) within the U.S. Department of Commerce, enables U.S.-based organisations to join the Privacy Shield Framework in order to benefit from the adequacy determination. To join the Privacy Shield Framework, a U.S.-based organization will be required to self-certify to the Department of Commerce and publicly commit to comply with the Framework’s requirements. While joining the Privacy Shield Framework is voluntary, once an eligible organisation makes the public commitment to comply with the Framework’s requirements, the commitment will become enforceable under U.S. law. All organizations interested in joining the Privacy Shield Framework should review its requirements in their entirety.
The new framework protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States as well as bringing legal clarity for businesses relying on transatlantic data transfers.
The EU-U.S. Privacy Shield is based on the following principles:
Since presenting the draft Privacy Shield in February, the Commission has drawn on the opinions of the European data protection authorities (Art. 29 working party) and the European Data Protection Supervisor, and the resolution of the European Parliament to include a number of additional clarifications and improvements. The European Commission and the U.S. notably agreed on additional clarifications on bulk collection of data, strengthening the Ombudsperson mechanism, and more explicit obligations on companies as regards limits on retention and onward transfers.
The “adequacy decision” will be notified today to the Member States and thereby enter into force immediately. On the U.S. side, the Privacy Shield framework will be published in the Federal Register, the equivalent to our Official Journal. The U.S. Department of Commerce will start operating the Privacy Shield. Once companies have had an opportunity to review the framework and update their compliance, companies will be able to certify with the Commerce Department starting August 1. In parallel, the Commission will publish a short guide for citizens explaining the available remedies in case an individual considers that his personal data has been used without taking into account the data protection rules.
The EU-U.S. Privacy Shield reflects the requirements set out by the European Court of Justice in its ruling on 6 October 2015, which declared the old Safe Harbour framework invalid.