5 min

The impact of the new Privacy Shield agreement


On Tuesday 12th July the European Commission announced the approval of the new US-EU Privacy Shield agreement regarding the transatlantic transfer of personal data, simply referred to as “Privacy Shield”, thus bringing months of judicial uncertainty for European companies to an end.

What is the likely impact of the Privacy Shield on European companies? In this post, we take a look at the implications and other request questions around this new agreement that aims to offer increased data protection security for European citizens and greater judicial clarity for businesses.

This post is also available in Spanish.

Relevant issues

1.From when will the Privacy Shield apply?

From July 12, 2016 in Europe, the date when the Privacy Shield was approved by the European Commission the adequacy decision was notified to all EU Member States. The new agreement will be implemented in the United States from the day it is published in the Federal Register.

2. What's new in this agreement compared to Safe Harbor?

The Safe Harbor was based on seven basic principles expressed in the EU Commission Decision of 26 July 2000, under which American companies receiving European citizens’ personal data unequivocally and publicly committed themselves to applying the afore-mentioned principles. This committment was understood as a self-certification framework for companies whereby the certified entity was subject to the jurisdiction of US government agencies when complaints regarding non-compliance were submitted by the affected European citizens.

The Safe Habor’s 7 principles were related to the following aspects:

  • Notification - relating information to those affected.
  • Option - the possibility of opposition from those affected.
  • Purpose and proportionality in transfers to third parties - in order to maintain data security and integrity.
  • Right of access and application of procedures - to satisfy the rights of those affected.

The new Privacy Shield agreement includes:
  • (i) The recommendations made by the Commission in November 2013.

  • (ii) The requirements laid down by the European Court of Justice on 6 October 2015 in response to the areas of uncertainty brought about by Safe Harbor.

  • (iii) The observations made by the Article 29 Working Party on 13 April 2016.

The Privacy Shield’s system and overall operation is to remain the same as Safe Harbor: American companies will still have to make a formal declaration of adherence to the Privacy Shield, thus forcing them to comply with all of its security measures, including being subject to supervision and monitoring by the United States Department of Commerce. Any additional commitments include the implementation of stringent obligations for companies that process personal data, as well as monitoring mechanisms for US companies, as detailed in the following section.

"The EU-U.S. Privacy Shield is a robust new system to protect the personal data of Europeans and ensure legal certainty for businesses. It brings strong data protection standards that are better enforced, safeguards on government access, and easier redress for individuals in case of complaints. The new framework will restore the trust of consumers when their data is transferred across the Atlantic. We have worked together with the European data protection authorities, the European Parliament, the Member States and our U.S. counterparts to put in place an arrangement with the highest standards to protect Europeans' personal data."

- Vĕra Jourová,  European Union's Commissioner for Justice, Consumers and Gender Equality

3. What does the Privacy Shield regulate?

The Privacy Shield is structured around 4 key principles:

  • Strict obligations for companies working with personal data
    U.S. companies will now be subject to periodic inspections. The United States Department of Commerce will implement monitoring mechanisms to ensure companies comply with all applicable data protection rules. If there is evidence of a breach in legislation, companies will be delisted from the Privacy Shield. Similarly, stricter conditions for US companies that perform data transfers have been established that now see the U.S. equal to Europe in terms of protection levels implemented to data controllers and processors. A company must notify the United States Department of Commerce if these obligations do not apply to their type of business. Finally, the retention of personal data shall only occur for the time it takes to perform the necessary functions or services entrusted to a data processor.
  • Obligations regarding transparency and safeguarding access to the U.S. administration
    Strict rules now apply regarding personal data access by the Director of Intelligence of the United States. Massive data collection can only be performed under specific conditions. An new independent "Ombudsperson" figure in the American security services will deal with any complaints issued by European citizens affected by the actions of American security entities.
  • Effective protection of individual rights
    Any European citizen affected as a result of improper use of the privacy scheme and/or security implemented by the U.S. company, will set in motion the appropriate conflict resolution mechanism, of which there are 3:
  1. Resolve conflict directly with the company.
  2. Resolve conflict through the Data Protection Agency in the relevant EU Member State, who will then present the complaint to the United States Department of Commerce.
  3. Resolve conflict through an arbitration mechanism as a final means of resolution if cases are not resolved through other methods.
  • Annual joint review mechanisms
    An annual joint review will take place, conducted by the European Commission and the United States Department of Commerce, together with experts in United States national security and the European Authorities for Data Protection. The panel will evaluate the results and effectiveness of the Privacy Shield, reviwing and evaluating its performance. If an inadequate level of protection is detected, the European Commission may take the relevant measures to further inforce the privacy of European citizens and EU Data Protection regulations.

4. How will the Privacy Shield work?

The United States Department of Commerce will continue as the body responsible for the application of guarantees and processes arising from the implementation of the new Privacy Shield agreement.

As indicated above in point 2, the system is similar to that of Safe Harbor but with greater levels of assurance and protection. U.S. companies that offer services in Europe and who are always involved in transfers of personal data shall be registered on the "Privacy Shield List", so that their activities can be monitored and reviewed by the United States Department of Commerce.

Spanish companies wishing to contract the services of American companies must ensure that the latter are in the afore-mentioned list to prove that they are committed to meet the same safety standards required of operators within the European Union. This means that U.S. companies who process personal data must meet the safety requirements required in the European Union.

Both the United States and the European Union will periodically review the effectiveness of the new agreement, with an obligation to make adjustments to its clauses if and when any breach is detected.

5. What benefits will the Privacy Shield bring to Spanish companies and the European Union in general?

European companies hiring American companies that appear on the Privacy Shield List published by the U.S. Department of Commerce, and whose services include transatlantic data transfer, can offer their customers and/or users greater guarantees of data protection resulting from the effective implementation of the principles mentioned in point 2.

At an operational level, Spanish companies wishing to contract the services of American companies are not currently required to obtain authorization from the Spanish Data Protection. Nor are they obligated to get the unequivocal consent from the data owner to make transatlantic data transfers.

It must be noted that the Privacy Shield - even if a valid political agreement between the United States and the European Union - is subject to the control of the European authorities and citizens, since non-compliance can provoke a lawsuit or be subject to revision at any time, as was the case with Safe Harbor.

This post is also available in Spanish.

Ana_Maritza_Vega_Suarez_AVATIC.jpg This is a guest post by Ana Martiza Vega Suárez.

Ana Maritza is lawyer specialized in new technologies and intellectual property as well as being the founder of Avatic Abogados.