The European Commission has, after considering opinions from the Article 29 Working Party (the group made up of Europe's data protection regulators), the European Data Protection Supervisor, and the resolution of the European Parliament, made a number of additional clarification and improvements to the draft "Privacy-Shield" it presented in February 2016, and on 12 July 2016 launched the EU-U.S. Privacy Shield.
The Article 29 Working Party still has some reservations about Privacy-Shield, including the lack of: clarity around data processor obligations; and formal protection around mass surveillance by US security services. However, the group of regulators has praised other improvements made by the Commission and it will reserve judgment on any concerns until the first annual review in 2017, thus giving the green light to "Privacy-Shield" for at least 12 months (there are some concerns that Privacy-Shield may, like its predecessor, be referred to the CJEU but this is unlikely to be before the first annual review).
Back to Business
The Privacy Shield will provide companies with a framework for certifying transatlantic data transfers, restoring a mechanism to adequately transfer data to U.S. Companies that are signed up to the Privacy-Shield.
Safe Harbor 2.0
The Privacy Shield has been developed as a consequence of political and economic pressures created by the lack of a framework protecting the flow of personal data between the U.S. and Europe.
The "Privacy-Shield" will protect the fundamental rights of European citizens whose personal data is transferred to the U.S. and bring some more legal certainty for businesses relying on transatlantic data transfers.
Privacy Shield vs Safe Harbor
"Certified" companies must comply with the Privacy Shield principles, following the certification process (set out below).
The Privacy Shield core principles are largely based on the previous Safe Harbor principles, however there are some significant changes:
Certification Process
The certification process for U.S. companies is entirely voluntary. Self-certification becomes available from today (1 August 2016).
Companies will be able to self-certify on an annual basis that they meet the Privacy Shield requirements by taking the following steps:
1. Confirm their eligibility to participate in the Privacy Shield. Any US company that is subject to the FTC or the Department of Transportation may participate.
2. Ensure that they have a Privacy Shield compliant privacy policy. Requirements include; specific reference to the Privacy Shield Principles, a hyperlink to the Privacy Shield website, a link to the company's independent recourse mechanism and alternative dispute resolution procedure.
3. Identify the company's independent recourse mechanism. Self-certifying organizations must provide an independent recourse mechanism available to investigate unresolved complaints at no cost to the individual.
4. Ensure that the company has a compliance verifying mechanism.
5. Designate a contact within the company regarding Privacy Shield.