The EU-U.S. Privacy Shield officially adopted
On 12 July 2016, the EU-U.S. Privacy Shield was officially adopted by the European Commission, providing a new framework and legal basis for EU-U.S. personal data transfers. U.S. companies will be able to certify with the U.S. Department of Commerce for the EU-U.S. Privacy Shield from 1 August 2016.
On 2 February 2016 the European Commission and the U.S. Government reached a political agreement on a new framework for transatlantic personal data transfers: the Privacy Shield. The Privacy Shield replaces the Safe Harbour Agreement which was declared invalid by the European Court of Justice on 6 October 2015.
The Privacy Shield Principles
The Privacy Shield is based on the following principles: (i) strong obligations on companies handling data, (ii) clear safeguards and transparency obligations on U.S. government access; (iii) effective protection of individual rights and (iv) an annual joint review mechanism. For further information on Privacy Shield principles we refer to our previous News Update of March 2016.
Next steps - Effective Date
The "adequacy decision" corresponding with the Privacy Shield will be notified to the Member States 12 July 2016, after which this "adequacy decision" will immediately inter into force. From a Dutch law perspective this means that a transfer of personal data to the U.S. on the basis of the Privacy Shield will be allowed pursuant to article 76 of the Dutch Data Protection Act.
The U.S. Department of Commerce shall commence operating the Privacy Shield on short notice. U.S. companies will be able to certify with the U.S. Department of Commerce from 1 August 2016 onwards. Once a U.S. company is Privacy Shield-certified, the transfer of personal data from the EU to the U.S. company is legitimized.
As of 1 August 2016 organizations can opt to legitimize EU-U.S. personal data transfers on the basis of the Privacy Shield. Organizations can use the Privacy Shield as a legal basis for the transfer of personal data from the EU to the U.S. in addition to, or instead of, other transfer mechanisms for EU-U.S. personal data transfers, such as Binding Corporate Rules or the European Commission's Standard Contractual Clauses.
Please contact Houthoff' Privacy and Data Protection team for any questions regarding this decision and the transfer of personal data to the US.