Today, 12 July 2016, the Privacy Shield was adopted by the EU Commission. Who would have thought that the Privacy Shield would be adopted so fast after the harsh criticism by the Art. 29 WP?
The new Privacy Shield
Privacy Shield registration shall be available to US companies starting August 1, 2016. The US Department of Commerce has already provided a HOW TO JOIN GUIDE.
Compared to v1 of the Privacy Shield, it got some cosmetics and fine tuning around certain passages, e.g. purpose limitation and terminology. It is, however, not certain whether all points raised by the Art. 29 Working Party or other official bodies that oversee the framework have been cured. See some rather sceptical comments: https://www.janalbrecht.eu/themen/datenschutz-digitalisierung-netzpolitik/eu-us-privacy-shield-2.html or http://www.irishtimes.com/opinion/privacy-shield-the-new-eu-rules-on-transatlantic-data-sharing-will-not-protect-you-1.2719018.
Disqualification is threatened
According to unofficial statements, the likelihood of Privacy Shield coming before the ECJ is somewhere between 60 to 70%. This is very (too !) little certainty for companies for an investment/reliance on the Privacy Shield. We expect that Privacy Shield will be challenged before court very soon. Also, local authorities are entitled to “suspend” Privacy Shield if they see a violation of EU law. Relying on Privacy Shield, therefore, carries legal risks.
UK data exporters should also have the Brexit situation in mind: As Privacy Shield is an agreement between the EU and the US, Privacy Shield seems a bit less Brexit-proof than Model Clauses.
Alternatives – Model Clauses and BCRs
Model Clauses are a well-established tool that is currently the only “quick fix” available for international data transfers; common alternative tools are BCRs or “ad hoc” clauses that both require approvals by competent authorities. Model Clauses will survive under GDPR (same for Privacy Shield, if not annulled).
Model Clauses are subject to review by ECJ. The latest information is that the Irish DPA has asked the ECJ to rule on the Model Clauses. It is not public whether the ECJ has already started the proceedings. Once started, we expect the proceedings to last 12 to 24 months gs. This might coincide with GDPR and possibly even a new version of the Model Clauses.
What should you do now?
Despite the criticism, Privacy Shield will be a valid data transfer vehicle – at least in theshort term. US companies that were Safe Harbor registered before will not have to make huge efforts to also comply with Privacy Shield and are well advised to register for Privacy Shield. EU data exporters then have the choice between Model Clauses and Privacy Shield and have to balance the risk for their own situation. For intra-group data transfers, BCR or ad hoc clauses or international data transfer framework agreements based on Model Clauses should be considered as another option.
EU data exporters should follow the discussions – on Privacy Shield, but also on the ECJ deciding on Model Clauses and also on Brexit. We expect more clarity around the challenging of Privacy Shield in autumn this year.
See our prior posts on Privacy Shield in this blog in this regard: http://datonomy.eu/tag/eu-us-privacy-shield/