EU Commission Adopts EU-U.S. Privacy Shield

Simon McMenemy, Hendrik Muschal, Grant Petersen
Ogletree, Deakins, Nash, Smoak & Stewart, P.C.
Contact
LinkedIn
Facebook
X
Send
Embed

On July 12, 2016, the European Commission formally adopted the EU-U.S. Privacy Shield to replace the previously invalidated Safe Harbor Framework as an adequate method of transferring personal data from the European Economic Area to the United States. The U.S. Department of Commerce (DOC) will begin processing self-certification applications beginning August 1, 2016.

Since the European Court of Justice invalidated the Safe Harbor Framework on October 6, 2015 in Schrems v. Data Protection Commissioner, the European Commission and the DOC have engaged in intense negotiations to develop an acceptable replacement for Safe Harbor. On February 2, 2016, the parties announced that they had reached an agreement on the replacement, which they named “the EU-U.S. Privacy Shield,” and released details regarding the Privacy Shield on February 29, 2016

Almost immediately, EU Data Regulators expressed concerns about the Privacy Shield and its lack of details and protections regarding the U.S. government’s ability to conduct mass surveillance of transferred data, the independence of the U.S. ombudsperson who will adjudicate complaints from EU citizens regarding misuse of their data, and the lack of protections regarding data retention and transfers to other companies. As a consequence, the European Commission and DOC resumed negotiations and agreed on the adopted version, which the parties contend addresses these concerns as well as the legal issues raised by the European Court of Justice in the Schrems decision. However Max Schrems, who brought the case that invalidated the Safe Harbor Framework, has announced that he will challenge the Privacy Shield, and the validity of the Privacy Shield is likely to be reviewed in the future by the European Court of Justice.

Next Steps for Employers

Between now and August 1, employers wishing to transfer personal data of EU employees to the United States should revise their data privacy policies and practices to comply with the Privacy Shield requirements. Employers currently using standard contract clauses to transfer personal data from the EU to the United States should consider self-certifying under the Privacy Shield as the Irish Data Protection Authority is challenging the adequacy of standard contract clauses. 

On July 28, 2016, Data Privacy Practice Group members Grant D. Petersen (shareholder, Tampa) and Hendrik Muschal (Managing Partner, Berlin) will present a one-hour webinar entitled, “Transferring HR Data Under the EU-U.S. Privacy Shield” Please visit the Ogletree Deakins website to register.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ogletree, Deakins, Nash, Smoak & Stewart, P.C. | Attorney Advertising

Written by:

Ogletree, Deakins, Nash, Smoak & Stewart, P.C.
Ogletree, Deakins, Nash, Smoak & Stewart, P.C.
Contact
more
less

Ogletree, Deakins, Nash, Smoak & Stewart, P.C. on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide