The European Commission has on 12 July 2016 adopted the Privacy Shield framework, giving UK businesses that had previously relied on the now invalidated Safe Harbour scheme another mechanism for sending personal data to the US.
Like Safe Harbour, the Privacy Shield is based on a voluntary system of self-certification. US businesses will need to self-certify annually that they agree to adhere to the Privacy Shield Principles, which include requirements in relation to notice, purpose limitation and onward transfers.
The framework is not immediately available for use. US businesses will be able to sign up to the Privacy Shield from 1 August 2016, giving them some time to review its provisions and prepare for self-certification. In practice, however, it is not clear when the first businesses will sign up.
The situation in relation to US transfers remains precarious in light of recent challenges to the model clauses and there is speculation that the Privacy Shield itself will be legally contested for failing to properly address the concerns raised by Safe Harbour and ensure adequate levels of protection for EU personal data.
Businesses transferring data into the US should therefore continue to monitor for updates.
Beverley Flynn