On July 8, 2016, the draft EU-U.S. Privacy Shield adequacy decision was formally approved by the so-called “Article 31 Committee” of EU Member States (see press release, here).
That approval opens the door for the College of EU Commissioners to approve the Privacy Shield on Monday (July 11). Once translated and published in the Official Journal of the EU, the adequacy decision will then enter into force.
However, there may need to be an implementation period during which the EU and U.S. put in place relevant structures; it is expected that Commissioner Věra Jourová will provide more details to the European Parliament on Monday, and in a joint press conference on Tuesday with U.S. Secretary of Commerce Penny Pritzker.
Once that implementation phase is complete, U.S.-based companies will be able to self-certify under the Privacy Shield. Doing so provides a legal basis which entities in the European Economic Area can rely on to transfer personal data to those Privacy Shield-certified companies in the US.
Countries such as Israel and Switzerland may also follow suit, as they had previously done with the original EU-U.S. Safe Harbor framework (invalidated by the Court of Justice of the EU in October 2015).
An initial draft of the EU-U.S. Privacy Shield package, published in February (see our blog post here), had originally been met with mixed reviews from the European Parliament, the Article 29 Working Party and the European Data Protection Supervisor.
They all noted the Privacy Shield’s importance and welcomed the substantial progress compared to the Safe Harbor, but highlighted a number of concerns. In particular, they expressed reservations in relation to the redress mechanisms, U.S. surveillance practices, automated decision-making, onward transfers, and data retention.
After calls from the Article 31 Committee for the European Commission to address those issues before they voted on the Privacy Shield, the EU and U.S. worked on an improved final text, securing the Article 31 Committee’s approval today.