EU-US Privacy Shield Adopted by the European Commission and US Department of Commerce

On July 12, 2016, the European Commission reported the formal adoption of the EU-US Privacy Shield Framework (Privacy Shield), which governs the transfer of data between the EU and the US.  As previously reported in E-TIPS® newsletter, the new privacy framework was announced earlier this year.

Privacy Shield is intended to replace the Safe Harbour Privacy Agreement, which was declared to provide inadequate privacy protection by the European Court of Justice in its judgment dated October 6, 2015.

While many aspects of Privacy Shield are the same as the Safe Harbour scheme, there are some important differences. 

For example, while the certification and annual re-certification processes remain the same, the Department of Commerce will now monitor compliance through, among other things, audits of companies that are Privacy Shield certified (for example, via questionnaires). 

While many notice requirements remain the same, the Privacy Shield notice principles now also notably include an obligation for the organization to inform individuals about:

1. the individual’s right to access their personal information;
2. the requirement to disclose personal information in response to lawful requests from public authorities;
3. the independent dispute resolution body designated to address complaints and provide recourse to data subjects;
4. the enforcement authorities that have jurisdiction over the organization’s compliance with Privacy Shield; and
5. the organization’s liability in cases of onward transfer of data to third parties.

For further information on Privacy Shield, please see:

International Trade Administration – Privacy Shield Overview

European Commission – Guide to the EU-US Privacy Shield

Summary By: Michael House