At a joint press conference in Brussels this morning (July 12, 2016), EU Commissioner Jourová and the U.S. Secretary of Commerce, Penny Pritzker, presented the new EU-U.S. data transfer mechanism (see press release here, adequacy decision text here, annexes here and Q&A factsheet here). The press conference followed the approval of the underlying adequacy decision by the College of EU Commissioners. This was the last step in the adoption of the Privacy Shield in the EU. Last night, Commissioner Jourová discussed the new framework with the European Parliament.
This announcement is the culmination of more than two years of negotiation between the EU and U.S. on the revision of the previous EU-U.S. Safe Harbor framework (invalidated by the Court of Justice of the EU in October 2015). Once translated and published in the Official Journal of the EU, the adequacy decision will enter into force. The U.S. Department of Commerce is now working on the implementation of the framework and will accept self-certifications from U.S.-based companies from August 1, 2016. The Department of Commerce have released a Guide to Self-Certification, available here. Companies will need to update their privacy policies, verification mechanisms and identify an independent dispute resolution provider prior to self-certifying.
The Privacy Shield provides a legal basis for transfers of personal data from the European Economic Area to Privacy Shield-certified companies in the U.S. It contains a much more robust set of commitments than those underpinning the Safe Harbor and will provide stronger protections to data subjects in the EU than its predecessor. The European Commission will produce a citizens’ guide to explain redress options for EU citizens.
For further background on the Privacy Shield, see past InsidePrivacy coverage here.