EU-US Privacy Shield

The so-called EU-US ‘Privacy Shield’, agreed between the European Commission (“EC”) and the US Department of Commerce (“DOC”) in February 2016, is a new framework for transatlantic data flows. It entered into force on 1st August 2016 and allows for transfers from a data controller or data processor in the EU to self-certified US companies.

This follows the declaration in October 2015 that the old 'Safe Harbor' framework did not provide adequate protection for transfers of individuals' data to the US (see our previous article European Ruling that 'Safe Harbor' is invalid). This new framework is intended to protect the fundamental rights of Europeans in relation to transatlantic transfers of their data and ensure legal certainty for businesses.

The EC has published a Guide to the EU-US Privacy Shield which explains how individuals' rights are protected under the Privacy Shield framework. The Information Commissioner's Office (“ICO”) has also published a blogpost summarising the current position on EU-US data transfers.

What do US companies need to do under the Privacy Shield?

It is entirely voluntary but US companies have been able to self-certify with the DOC from 1st August 2016 (see DOC: How to Join Privacy Shield: Guide to Self-Certification).

In practice, if American companies decide to certify, they will need to:

Privacy Shield Principles

Companies that participate in the Privacy Shield must adhere, where relevant, to the following Privacy Shield principles (“Principles”), which are largely based on Safe Harbor, although requirements around their implementation have been enhanced:

Organisations also need to implement processes for responding to inquiries and requests from the DOC regarding compliance with the Principles.

Regarding onward transfers of data, organisations remain liable if the agent processes data in a way that is inconsistent with the Principles, unless it proves that it is not responsible for the event giving rise to the damage.

Further details of the Privacy Shield Principles can be found here and participating organisations must also adhere to 16 supplemental principles, where applicable.

The Privacy Shield applies to both controllers and processors (agents) and processors must be contractually bound to act only on instructions from the EU controller and assist the latter in responding to individuals exercising their rights under the Principles.

What does this mean for existing mechanisms to transfer data such as the Model Contract Clauses and Binding Corporate Rules?

The ICO has confirmed that these are still valid ways to transfer personal data to the US. Details of other options can be found in the relevant ICO guidance which the ICO will be updating to cover the Privacy Shield.

Looking forward and further information

We will have to see what the take up of the Privacy Shield will be. Certainly several hundred companies appear to have already self-certified. The Privacy Shield may possibly offer an advantage where a US company is receiving data from multiple EU based businesses since it could perhaps obviate the need to enter into the Model Clauses with each one. However, self-certifying undoubtedly comes with its own burdens and costs and, currently, there is no certainty that EU based businesses will all accept the Privacy Shield. Some may prefer the existing Model Clauses not least because there is some ongoing debate as to whether the legality of the Privacy Shield will be challenged.

There is an EC Factsheet as well as a DOC Factsheet, which have some useful information on the key elements of the Privacy Shield and requirements for participating companies respectively. We will be keeping a watch on any further developments and will update this article accordingly.

28th September 2016

back to archive