Teal blue graphic

EU-US Privacy Shield: Here to Stay or Stay of Execution?

Will they, won't they? It appears that after much debate and even more consternation, the EU and US have finally entered into an uneasy marriage, with the European Commission formally committing to the transatlantic Privacy Shield. Although Austria, Slovenia, Bulgaria and Croatia were not wedded to the framework and abstained, the Privacy Shield is now ready for wielding.

Despite the new Privacy Shield framework applying immediately across Europe and registration opening for companies in the US, the saga of the Privacy Shield rumbles on. In April, the Article 29 Working Party scathingly said that the framework:

  • lacked detail on data retention; 
  • did not address the issue of bulk collection of data; and 
  • the ombudsman set up to deal with complaints did not have the requisite bite to properly provide effective redress to complainants. 

After much negotiation between the EU and the US, the Privacy Shield has since been amended with these concerns in mind. Regular reviews will be carried out by the US Department of Commerce to ensure:

  • companies are complying with the framework, with sanctions levied against those failing to comply;
  • data must be deleted where it no longer serves the purpose for which it was gathered;
  • individuals will now have compensation by way of an ombudsman which will be independent from national security services to ensure its impartiality; and 
  • the US has also provided assurances that access to data by US authorities will be subject to the necessary safeguards and limitations.

In light of such assurances, European regulators are taking a conciliatory approach, offering a grace period of a year before making any challenge to the framework. This coincides with its first joint annual review. Unfortunately, by no means does this ensure that the Privacy Shield is safe. Critics are already sharpening their knives for what could be fiery legal tussles ahead; independent data protection organisations or even an individual can still bring challenges against the framework. After all, it was the latter in a David and Goliath like battle who brought the original Safe Harbour agreement crashing to its knees.

Technology companies and their corporate customers, however, should be heartened that there is now a framework in place that brings greater certainty when processing data across borders. Self-certifying in compliance with the Privacy Shield offers companies the chance to visibly assure their customers that they are a trusted importer of EU data by their inclusion on the register. The register is also accessible to the public. 

The approval of this framework is particularly important for technology companies and their corporate customers who have been utilising EU modern contract clauses after the Safe Harbour agreements demise as a means of transferring data across the Atlantic. Such clauses now face a testing legal challenge of their own.

Whilst companies wishing to process EU data in the US should be mindful of the administrative burdens of being a member of the Privacy Shield, this should be considered alongside the benefits gained from not having to negotiate separate bilateral agreements with their customers and reducing the chances for criticism from privacy campaigners. In the outsourcing and technology world it likely that customers will expect suppliers that process data in the US to be on the register and therefore compliance will effectively become mandatory in order to do business. 

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at August 2016. Specific advice should be sought for specific cases. For more information see our terms & conditions.

Insights & events View all