17 February 2016

Nicola Fulford, head of data protection & privacy, Kemp Little

Earlier this month, the EU ruled that “Privacy Shield” will replace “Safe Harbour”, and provide stronger obligations on US companies to protect the personal data of Europeans. 

While the new agreement is a positive move forward, it is also the first step in a process towards fully implementing the EU-US Privacy Shield on both sides of the Atlantic.  

During the coming weeks, the EC will prepare a draft adequacy decision. After first taking the advice of the Article 29 Working Party and then consulting a committee composed of representatives of the Member States, this could then be adopted by the College of Commissioners.  

At the same time, the US will be making preparations to implement the new framework from its side, monitoring mechanisms, and appointing a new ombudsperson.  

The EC said the new EU-US Privacy Shield will take three months to implement. Until it is agreed and finally put in place, companies should continue to rely on alternative mechanisms for transatlantic data transfers.  

For now, it remains to be seen how widely the EU-US Privacy Shield will be adopted and how soon EU companies will sign up to it. 

Companies that have gone to the effort of putting model clauses in place with their US suppliers or entering into binding corporate rules between group companies, might decide to continue to rely on these mechanisms instead of adopting the new EU-US Privacy Shield so soon afterwards.  

A question mark still hangs over the status of US companies that are currently Safe Harbour certified. The EC’s announcement does not clarify whether they will automatically transition to the new Privacy Shield, or whether they will have to register anew and what that will involve.