EU-US Privacy Shield: The “Privacy Shield List” begins to grow

On12.07.2016, the Commission officially approved the final version of the “EU-US Privacy Shield” as an “adequacy decision” under Art. 25 ss. 6 of the EU Data Protection Directive 95/46/EC). Since 01.08.2016, US companies can certify themselves with the U.S. Department of Commerce under the new Privacy Shield. Self-certification must be repeated annually. As expected, the Privacy Shield List maintained online by the U.S. Department of Commerce is now growing steadily. The list provides information on contact partners for questions and complaints on data processing by the certified company.

The EU-US Privacy Shield succeeds the U.S./EU Safe Harbor Framework set aside by the ECJ last year. Self-certification by US companies creates “an adequate level of data protection” in the meaning of § 4b ss. 2 Federal Data Protection Act.

Since criticism of the EU-US Privacy Shield from many sides has not abated, it cannot be excluded that the adequacy decision of the EU Commission on the EU-US Privacy Shield may not survive a review by the ECJ. It continues therefore to be advisable as a long-term strategy for international data transfer to take account of other possible justifications for transatlantic data exchange and to critically assess the appropriate method by which an adequate level of data protection is established for the relevant company or project. That may be by EU standard contract clauses and Binding Corporate Rules as before in addition to the EU-US Privacy Shield. The fate of the EU standard contract clauses is also unclear however, since the Irish data protection authority has applied for a review of the standard contract clauses by the ECJ.