The European Commission has today formally adopted the EU-US Privacy Shield framework for data transfers to the US.

Today's announcement was anticipated following last week's announcement that EU member states have today approved Privacy Shield. Four member states apparently abstained in last week's member state vote.

Privacy Shield will replace Safe Harbor, which the Court of Justice of the European Union (CJEU) last year declared invalid under European data protection laws.

The Commission's adoption follows criticism from the Article 29 Working Party, the European Parliament and the European Data Protection Supervisor. An amended Privacy Shield proposal was published by the Commission last month, which sought to address a number of these concerns.

Notably, Recital 128 of the Commission's draft adequacy decision (Recital 153 in the adopted version) has changed from:

"The [Article 29 Working Party] has delivered a favourable opinion on the adequate level of protection provided by the United States for personal data transferred under the EU-U.S. Privacy Shield, which has been taken into account in the preparation of this Decision."


"The [Article 29 Working Party] published its opinion on the level of protection provided by the EU-U.S. Privacy Shield, which has been taken into account in the preparation of this Decision."

When will Privacy Shield come into force?

The Commission's adoption of Privacy shield takes effect immediately. However, US organisations will not be able to certify with the US Department of Commerce until 1 August 2016.

What will Privacy shield mean for US data transfers?

This is the big question.

Given previous criticisms, it is clear that privacy campaigners will seek to challenge Privacy Shield in much the same way as the successful challenge last year to the previous Safe Harbor regime. As such, its life may be limited.

Conversely, the legality of the Commission's Standard Contractual Clauses (SCCs) - adopted by many organisations as an alternative means of legitimising US data transfers following the CJEU's Safe Harbor decision - is now also being challenged in the courts and are the subject of a review by the WP29.

Organisations that transfer personal data to the US (and, indeed other countries outside the EEA) should therefore think carefully about the legal basis upon which that transfer is carried out, and the steps that can be taken to mitigate risks. That may include incorporating appropriate provisions in their contracts to deal with any subsequent rulings from the CJEU on the legality of Privacy Shield and the SCCs.

Read our summary of the key changes under Privacy Shield.

Managing your data processing contracts

As many organisations found out when trying to identify where they were relying upon Safe Harbor, it's also important that organisations have a clear overview of their international data processing activities and the contractual and legal relationships that underpin those.

Brodies has developed BOrganised, a contract management system that allows you to manage easily manage your contracts and view key information, which can help your organisation comply with the new record keeping and accountability obligations under the General Data Protection Regulation. Find out how BOrganised can help you manage your data processing contracts.

To discuss any of these issues further, please just get in touch.


Martin Sloan