Today, the European Union formally adopted the revamped EU-U.S. Privacy Shield, which had been preliminarily approved on Friday by the EU Member states. This news marks a significant step forward for the legal framework, negotiated by the U.S. Department of Commerce and the EC’s Article 29 Working Party, to govern cross-border data transfers between the U.S. and EU member states. The long-awaited replacement program for the currently invalidated EU-U.S. Safe Harbor was given strong support by a nearly unanimous favorable vote on Friday, paving the way for formal adoption of the agreement today. In a joint statement released today, U.S. Secretary of Commerce Penny Pritzker and European Union Commissioner Věra Jourová applauded the outcome, stating that the Privacy Shield Framework “will facilitate more trade and collaboration across the Atlantic, and for consumers, the Framework will ensure access to the latest technologies, while providing strong privacy protections.” European trade group DIGITALEUROPE, in its own release Friday, conceded that “negotiations have not been easy,” but congratulated the EC and Department of Commerce on striking a deal that “offers greater clarity on data retention,” “strengthens obligations for onward transfers,” and gives greater clarity and autonomy to the contemplated U.S. Ombudsperson.
Ratification of the Privacy Shield had previously stalled for the same reason that scuttled Safe Harbor and was only resolved after U.S. government officials provided written assurances regarding limitations, safeguards and oversight of EU citizens’ data surveillance, including a promise that mass collection of data would not be employed. While a major step forward, approval by the European Commission does not prevent challenges to the framework before the European Court of Justice, similar to the Schrems decision that prompted negotiations on the Privacy Shield. More than 4,000 companies were left to find alternative means for data transfers following Schrems, including Binding Corporate Rules, data subject consent, and model contract clauses. Commerce Secretary Pritzker sought to provide assurances of the Privacy Shield’s enforceability, noting today that “[w]ith new privacy protections in place, we are confident the Framework will withstand further scrutiny.”
It remains to be seen how the Privacy Shield will be implemented and revised to fit the EU-wide General Data Protection Regulation, which becomes enforceable in 2018.