As from 1st August 2016 companies will be able to sign up to a new transatlantic data-transfer framework that will enable them to legally transfer personal data from Europe to the US.
This is the consequence of the formal adoption of the Privacy Shield on 12 July 2016, that replaced the previous Safe Harbour Decision which was invalidated by the CJEU in October 2015.
The EU Commission claims the new Privacy Shield is fundamentally different from the Safe Harbour Decision and argues that it places stronger obligations on companies in the US and on the US government to protect EU citizens data thanks to its new safeguards (strong obligations on companies handling data, clear safeguards and transparency obligations on U.S. government access, effective protection of individual rights, annual joint review mechanism, establishment of an Ombudsman, etc.).
The Privacy Shield is based on a system of self-certification by which U.S. organizations commit to a set of privacy principles approved by the US Commerce Department and the EU Commission.
EU companies will now be authorized to transfer data from the EU to the US on the basis of the Privacy Shield, without the need to adopt alternative legal measures - such as adopting binding corporate rules, implementing standard contractual clauses or obtaining explicit consent for the occasional transfer of data to the US.
However, companies should be aware that further developments are likely. The Article 29 Working Party (a body which represents the EU’s national data protection authorities), alongside well-known data protection activist, Max Schrems, warned in April that the Privacy Shield could be challenged before the CJEU because of remaining inconsistences with European privacy standards. The Article 29 Working Party also announced it will analyze the completed last version of the framework and meet on 25 July to agree on a common position vis-à-vis the new Privacy Shield.
In addition, the standard contractual clauses and binding corporate rules are not immune to a future invalidation by the CJEU. Indeed, the Irish Data Protection Commissioner announced on 25 May 2016 its intention to seek a referral to the CJEU to determine the legal status of data transfers to the US under standard contractual clauses, i.e. a key transatlantic data transfer mechanism used by companies in the wake of the invalidation of the Safe Harbour Decision.