The European Commission has today adopted the EU-US Privacy Shield, which will be effective in the European Union ("EU") once the adequacy decision is notified to the Member States. The EU press release states that once the Privacy Shield framework has been published in the Federal Register in the US, the Department of Commerce will begin operating the Privacy Shield, with a view to companies being able to certify from 1 August 2016.
The Privacy Shield's formal adoption brings to an end months of uncertainty over the validity of trans-Atlantic data flows following the invalidation of the Safe Harbor regime by the Court of Justice of the EU on 6 October 2015. Changes brought about by the Privacy Shield include stronger obligations on companies importing data from the EU, with the US Department of Commerce threatening to remove non-compliant companies from the list. An Ombudsperson mechanism has also been established within the US Department of State to ensure redress for EU citizens that believe their rights have been breached.
- Self-certification under the Privacy Shield will be possible from 1 August 2016.
- Certification under the invalidated Safe Harbor will not be sufficient to benefit from the Privacy Shield.
- US companies should review the Privacy Shield framework now and ensure compliance prior to self-certifying.
If you would like further guidance on the Privacy Shield please contact me.
Barry Fishley, Editor.