On July 8, 2016, the European Commission Article 31 Committee, consisting of representatives from each of the EU member states, approved the revamped EU-U.S. Privacy Shield. This news marks a significant step forward for the legal framework, negotiated by the U.S. Department of Commerce and the EC’s Article 29 Working Party, to govern cross-border data transfers between the U.S. and EU member states. The long-awaited replacement program for the currently invalidated EU-U.S. Safe Harbor was given strong support by a nearly unanimous favorable vote, paving the way for formal adoption of the agreement. European Commission Vice-President Andrus Ansip and Justice Commissioner Vera Jourova applauded the outcome in a joint statement, stating that the Privacy Shield “will ensure a high level of protection for individuals and certainty for business” by creating a “fundamentally different” regime that “imposes clear and strong obligations on companies handling the data and makes sure that these rules are followed and enforced in practice.” U.S. Chamber of Commerce Executive Vice President Myron Brilliant echoed these sentiments, noting that the agreement “provides strong data privacy assurances while preserving data flows.” European trade group DIGITALEUROPE, in its own release, conceded that “negotiations have not been easy,” but congratulated the EC and Department of Commerce on striking a deal that “offers greater clarity on data retention,” “strengthens obligations for onward transfers,” and gives greater clarity and autonomy to the contemplated U.S. Ombudsperson. The final text of the agreement is expected to be released during the following week after a vote of the College of Commissioners, with implementation around the end of August following translation into the EU’s official languages.

Ratification of the Privacy Shield had previously stalled for the same reason that scuttled Safe Harbor and was only resolved after U.S. government officials provided written assurances regarding limitations, safeguards and oversight of EU citizens’ data surveillance, including a promise that mass collection of data would not be employed. The decision was presented in draft format at the end of February, and its fate remained uncertain following criticisms of the text in March by a number of European civil rights organizations. News reports have stated that four countries abstained from voting on Privacy Shield: Austria, Croatia, Slovenia and Bulgaria. These member states are expected to closely scrutinize both the final text and the Privacy Shield’s annual reviews. While a major step forward, approval by the European Commission will not prevent challenges to the framework before the European Court of Justice, similar to the Schrems decision that prompted negotiations on the Privacy Shield. More than 4,000 companies were left to find alternative means for data transfers following Schrems, including Binding Corporate Rules, data subject consent, and model contract clauses. It remains to be seen how the Privacy Shield will be implemented and revised to fit the EU-wide General Data Protection Regulation, which becomes enforceable in 2018.