Privacy Shield - Uncertainties Remain

On 12 July 2016, the European Commission adopted the EU-US Privacy Shield as a replacement for the Safe Harbor mechanism, which had previously been declared invalid by the Court of Justice of the EU.

Around two weeks after the Commission's announcement, the Article 29 Working Party (the EU Data Protection Regulators) issued their statement on the decision. Although not fully endorsing Privacy Shield, and expressing concerns over a number of issues, the Working Party agreed not to launch any legal challenge to it for at least a year.

The US Department of Commerce (DoC) began to accept applications from US companies to sign up to Privacy Shield on 1 August. The number of applications and acceptances has been impressive. In a period of just one calendar month, the DoC has decided that the privacy policies of 103 US companies comply with the Privacy Shield standards. As of 1 September, the DoC confirmed that it was also reviewing the policies of a further 190 companies and additional 250 companies were submitting their policies.

The numbers of those who have been successful in applying, and who are waiting in line, is testament to the attractiveness of Privacy Shield to US companies who process personal data from the EU.

One significant point is that although the DoC is determining whether a company's policy meets the Privacy Shield standard it is not considering the more important issue of whether the applicant companies comply with those privacy policies. Drafting a compliant policy is a relatively easy step. Complying with it is another thing entirely.

The Commission and the US Government are happy with Privacy Shield. Andrus Ansip confidently stated that "it will protect the personal data of our people and provide clarity for businesses." The US Secretary of Commerce Penny Pritzker said that it "is a tremendous victory for privacy, individuals, and businesses on both sides of the Atlantic.", The Article 29 Working Party is content for now, and US companies are signing up in significant numbers.

However, two unanswered questions remain. Will EU data controllers be willing to rely on a data importer's Privacy Shield certification? How will data subjects react to a data controller transferring their information under that mechanism?

EU data controllers remain legally responsible for the transferred data. Knowing that a US company has had its privacy policy vetted and accepted by the DoC is an important step. But, a controller considering transferring data under the Privacy Shield would be wise to undertake their own due diligence to ensure that their data is being appropriately protected by the importing US company. No doubt, some controllers will insist on additional measures or alternative methods to protect their data.

Although the regulators may be granting Privacy Shield a year's grace, and as Max Schrems has demonstrated, individual data subjects can exercise their rights to influence EU data protection law. Data subjects could potentially challenge a data controller's reliance on Privacy Shield. Such individuals, unhampered by the Working Party's grace period, could bypass EU data protection regulators and seek to test Privacy Shield's validity through the courts.

There is no doubt that personal data will continue to flow across the Atlantic. The uncertainty lies in whether the flow will be interrupted.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.