On 12 July 2016, the European Commission adopted the EU-US Privacy Shield (the "Privacy Shield"), the new framework for transatlantic exchanges of personal data replacing the Safe Harbour agreement. The adoption follows a positive vote by the Member States' representatives in the Article 31 Committee on 8 July 2016. US companies can sign up to the Privacy Shield as from 1 August 2016. Once a US company is certified under the new scheme, transfers to this company from the EU will be permitted under Directive 95/46/EC (the "Data Protection Directive").
Under the Data Protection Directive, personal data must not be transferred to a recipient outside the EEA unless such a recipient is located in a country which is regarded to provide an "adequate" level of protection. The decision of 12 July 2016 declares that US companies registered under the Privacy Shield qualify for "adequate" protection status under the Data Protection Directive.
Improvements Provided by Privacy Shield
The draft framework principles and additional documents composing the Privacy Shield were published on 29 February 2016 (See, VBB on Business Law, Volume 2016, No. 2, p. 8, available at www.vbb.com). Since presenting the draft Privacy Shield in February, the European Commission and the US Department of Commerce have updated the texts to include a number of additional clarifications and improvements. These improvements draw on the opinions of the EU's Article 29 Working Party, an independent European advisory body on data protection and privacy comprised of representatives of the EU Member States' national data protection authorities, the European Data Protection Supervisor and the European Commission (See, VBB on Business Law, Volume 2016, No. 4, p. 6, available at www.vbb.com). They also reflect a resolution of the European Parliament.
The European Commission received additional clarifications from the US National Intelligence Office on the question of when bulk collection of data is permitted under US law. In addition, the updated texts of the Privacy Shield strengthen the ombudsman mechanism which provides redress against access by US authorities. The latest changes also impose more explicit obligations on companies as regards: (i) secondary use of personal data ("purpose limitation" principle); (ii) onward transfers of...