The EU-U.S. Privacy Shield has been formally adopted by the European Commission, enabling U.S. companies who sign up to the framework to receive personal data from the EU. The new deal replaces the previous Safe Harbor framework, which was invalidated by the Court of Justice of the European Union (CJEU) last October.
The new framework includes enhanced privacy protections, including stronger rules regarding onward transfers, data retention and redress. One key development is that the Privacy Shield will be reviewed on an annual basis allowing it to evolve and adapt to future technological and legal developments.
Time will tell as to whether companies have confidence in the Privacy Shield and decide to rely on it as a means to justify their personal data transfers to the U.S. Major technology companies are already showing their commitment with Microsoft issuing a statement welcoming the decision and announcing that they will sign up to the new framework as soon as possible. Digital Europe, a group representing the European digital technology industry have also commended the approval.
The Privacy Shield will undoubtedly face legal challenge with privacy activists already threatening to take the agreement to court. Max Schrems, the individual responsible for bringing forward the CJEU case C-362/14 that invalidated the Safe Harbor decision, has criticized the deal and said that it is “very likely to fail again, as soon as it reaches the CJEU”.
Nevertheless, the Privacy Shield is an important step and provides some legal certainty for companies that have been left in limbo since the Safe Harbor invalidation. Without Safe Harbor, businesses have relied on Model Clauses and Binding Corporate Rules, both of which have their limitations. This approval is ever more important in light of the legal challenge against the Model Clauses. In addition, a key uncertainty is how the UK will participate in the Privacy Shield in light of Brexit.
This decision means, subject to any successful challenges, U.S. internet giants and cloud businesses will be able to continue to operate in Europe and retain EU data on servers in the U.S. It also enables the thousands of small and medium-sized businesses to continue sending EU citizens’ personal data to the U.S. which is critical for everyday business. U.S. businesses will be able to self-certify their compliance with the Privacy Shield from 1st August and an annual re-certification system will be in place.
