On June 24, 2016, the European Commission announced that it had reached a final agreement with the United States on the terms of the EU-U.S. Privacy Shield, which will permit U.S. companies to transfer the personal data of European Union (EU) citizens to the United States in compliance with EU data protection laws. The terms of the final agreement address several concerns raised by EU regulators about the initial Privacy Shield agreement reached in February of 2016, including concerns about the U.S. government’s ability to conduct mass surveillance of transferred data, the independence of the U.S. ombudsperson who will adjudicate complaints from EU citizens regarding misuse of their data, and the lack of protections regarding data retention and transfers to other companies.
The new agreement now includes:
- a written commitment from the White House providing that intelligence services can engage in bulk collection of data sent from the EU to the U.S. only under specific and limited preconditions;
- a commitment that the ombudsman will be independent from national security services; and
- explicit data retention rules requiring companies to delete data that no longer meets the purpose for which it was collected.
While the final agreement has not yet been made public, it is anticipated that several key provisions of the initial agreement will remain unchanged.
Impact of the Brexit Vote
With respect to companies transferring data from the United Kingdom (U.K.), the Brexit vote will not have any impact on the EU-U.S. Privacy Shield in the short-term, as Britain will not depart the EU until 2018 at the earliest. According to the U.K.’s information commissioner, the U.K. likely would adopt a similar program to the Privacy Shield after departing the EU to remain on equal footing with the EU.
Next Steps in the Implementation of the Privacy Shield
The revised agreement has been sent to the Article 31 Working Party, which is made up of representatives from the EU member states, for approval. The College of Commissioners is expected to adopt the agreement in a vote to be held in early July 2016. U.S. companies will be able to use the EU-U.S. Privacy Shield for their data transfers shortly thereafter.