EU-U.S. Privacy Shield replacing the Safe Harbour framework for transatlantic exchanges of personal data for commercial purposes adopted by the College of EU Commissioners (EU Commission Decision C(2016) 4176 final).
On July 12, 2016, the EU Commission has definitively adopted the EU-U.S. Privacy Shield, replacing the Safe Harbour, annulled by the European Court of Justice, Luxemburg, in October 2015. The decision has entered into force the same day. US companies will be able to certify with the US Commerce Department as of August 1st, 2016.
The Privacy Shield framework has reinstalled legal certainty (for EU businesses) for the data flow from the EU countries to the US, which had been suspended since October 2015, leaving EU business with daily exchanges of data in disarray and despair as to what procedure to apply without risking to be fined.
The EU Commission has issued an “Adequacy decision”, which has the effect that personal data can flow from the 28 EU member states (plus the three EEA member countries) to that third country (i.e. the US) without further restrictions.
The Privacy Shield has however established new, harder principles, obligations precedent, which need to be respected so that the Privacy Shield actually applies.
Those are imposed on the US companies to honour for the Privacy Shield Self Certificate, and are the following:
To make sure the rights of EU citizens are respected and heard, the Privacy Shield provides for safeguards and transparency obligations on US government access. Everyone in the EU will benefit from redress mechanisms in this area. The US Secretary of State has established the redress possibility for EU citizens through an Ombudsperson mechanism within the Department of State.
An annual joint (i.e. EU/US) review mechanism will monitor the functioning of the Privacy shield, including the commitments and assurance regarding access to data for law enforcement and security purposes.
US companies will have to review their compliance programs (and in the first place: dispose over a compliance program!), as it must provide for an annual review of its program so to adapt to company reality, legislation, US case law.
The Privacy Shield certification is to be renewed on an annual basis.