It has taken two years but on 12 July 2016 the EU Commission finally adopted the adequacy decision on the Privacy Shield, and from 1 August 2016 entities will be able to certify with the US Department of Commerce.
From a strategic perspective US companies (or EU companies doing business in the US) will be pondering what to do now that the adequacy decision has been taken. For those companies who want to ensure that they can lawfully transfer personal data from the EU to the US, the Privacy Shield may be the answer. However, for EU companies carrying out business in the US, the General Data Protection Regulation (GDPR) may be the most pressing compliance concern. Then what about those companies who have spent enormous time and effort in putting in place a web of EU Model Clauses? These remain valid, but the onward transfer provisions under the Privacy Shield differ. Putting this all together it seems more than likely that different companies will take different approaches, and many companies may want to (or need to) rely on several legal mechanisms in order to transfer data globally.
What about our post Brexit homeland companies? Well, for now the UK remains part of the EU so the adequacy decision by the EU Commission applies in the UK.
What can companies expect in the era of the Privacy Shield? Well certainly there will be a much higher level of monitoring of the Privacy Shield, which inevitably means greater intervention and enforcement. The EU Commission is tasked with monitoring the way the Privacy Shield is functioning and can, where it has evidence that there is interference with the rights of individuals to protect their personal data or where the US authorities are not cooperating, present draft measures to suspend, amend or repeal the Privacy Shield. National Regulators are also vested with the power to check whether a transfer of personal data from their own territory to a third country is compliant with EU law, and they have powers to suspend data transfers and take enforcement action against non-compliant organisations. The US Regulator can also remove companies from the Privacy Shield Scheme.
The Privacy Shield represents some big changes and in order to ensure it appears robust there is no grandfathering of safe harbor certified entities to this new regime: so everyone is starting afresh. The Department of Commerce has set up a webpage, www.commerce.gov/privacyshield, to help entities work through and understand the logistics of how to go about certification, and HireRight is currently reviewing the guidelines.
As a final thought, as news starts to trickle through that the Privacy Shield may face some legal challenges, it will be interesting to see if there will be a division between the Member State Regulators and how willing they are to adopt the Privacy Shield.