EU-US Privacy Shield

Of Relevance to:
Firms whose business model involves the transmission of personal data to the US.

It may be recalled that in October 2015 the European Court of Justice declared that the ‘Safe Harbor’ framework was invalid.

As a reminder, the transfer of personal data to a country outside the EEA is prohibited unless the European Commission has established (adopted an ‘adequacy decision’) that such a country has an adequate level of protection for personal data.

Whilst the US was not included in the list of ‘adequate’ countries, it was permissible to send personal data to those US firms that had signed up to the voluntary Safe Harbor scheme which, as mentioned above, was subsequently deemed invalid. Please see Regulatory Roundup 70 for further background information relating to the Safe Harbor scheme and Regulatory Roundup 74 in respect of its proposed replacement – the EU-US Privacy Shield.

The EU-US Privacy Shield has now been formally adopted by the European Commission. The effect of this will be that EEA firms will be able to transmit personal data to those US firms that appear on the Privacy Shield list.

Companies appearing on the list will self-certify annually that they meet the relevant requirements. The US Department of Commerce will maintain this Privacy Shield list and will also monitor and actively verify that companies’ privacy policies are in line with the Privacy Shield principles and are readily available to the public. Any firms that are no longer members of the Privacy Shield will be required to continue to apply its principles to personal data received when they were in the Privacy Shield for as long as they continue to retain such data.

The Information Commissioner’s Office (“ICO”) reminds us that whilst the Privacy Shield ensures the ‘adequate protection’ of personal data, it is not the only approach. Therefore, for instance, a UK firm that discovers that the US entity they were intending to transmit personal data to does not appear on the list can consider recourse to Binding Corporate Rules or Standard Contractual Clauses – see the ICO link for further information.

The European Commission has produced a guide to the EU-US Privacy Shield which firms may find of interest.