StaRs: Time to prioritise, but not to panic
The EU-US Privacy Shield was established by the EU Commission in August 2016 to replace the previous ‘Safe Harbour’ system, which was ruled unlawful by the European Court of Justice (to read the ECJ’s decision, see here).
To ensure continued compliance with the scheme by US organisations and the US government, the EU Commission conducts an annual review of the Privacy Shield. The most recent review was undertaken in September, with the report released by the Commission last week (for reference, see here).
What is the EU-US Privacy Shield?
The Privacy Shield aims to provide a safe way of transferring personal data from the EU to organisations in the US by imposing obligations on US companies which receive personal data from the EU, and on the US government should they request access to that data (for more information, see our blog here).
The Privacy Shield was seen as an improvement to Safe Harbour, introducing enhanced protective mechanisms, limits on the length of time companies can retain personal data, and imposing conditions under which data can be shared with third parties outside the Privacy Shield, for example, the US government.
Certification and Oversight
Before US organisations can legally receive personal data from EU countries, they must be certified under the Privacy Shield. This certification procedure is overseen by the US Department of Commerce (the “DoC”).
The Privacy Shield Ombudsperson has also been set up to address complaints concerning access to personal data by the US government for national security and other public interest purposes. Additionally, the Privacy Shield Arbitration Panel provides a final redress mechanism for EU individuals whose data is not used properly under the Privacy Shield, or who consider that a US company is not complying with its rules.
What did the Commission conclude?
Shortly after the Privacy Shield was established, two separate challenges were launched regarding the legality of the arrangement (see our previous blog post here). Despite those early challenges, the EU Commission has now confirmed its decision from July 2016, ruling that the Privacy Shield continues to ensure an “adequate” level of protection of personal data.
This decision was reached on the basis that:
What has the Commission recommended?
Despite the Commission’s confirmation that the Privacy Shield is safe to operate for another year, it also expressed several concerns about the system, and made various recommendations to further improve it:
What does this mean for you as a business?
Over 2,400 US organisations are certified to use the Privacy Shield, meaning an increasing amount of personal data is being transferred across the Atlantic. All UK organisations relying upon the Privacy Shield should be sure to check that any US businesses they are sharing data with are fully certified. The US Privacy Shield website contains a list of certified US organisations, which can be found here.
Undertaking a review of your organisation’s international data transfers is an essential part of your organisation’s preparation for the implementation of the General Data Protection Regulation (GDPR) in May 2018. If your US data transfers are not protected by the Privacy Shield scheme, your organisation must rely on one of the other lawful bases available to transfer personal data to the US, such as standard contractual clauses or binding corporate rules.
Skip to content Home About Us Insights Services Contact Accessibility