Just nine months after the invalidation of the EU-US safe harbor framework, the European Commission (the Commission) has formally adopted its replacement scheme: the EU-US privacy shield (see box "The privacy shield explained"). US organisations may self-certify to the privacy shield from 1 August 2016.

The privacy shield was originally announced by the Commission in draft form in February 2016 but has since been revised, not least to seek to address the concerns raised by EU data protection regulators, as represented by the Article 29 Working Party (the working party). The working party issued a critical opinion regarding the privacy shield on 13 April 2016 (see News brief "Shield or no shield: that is the question").

The working party is to issue a revised opinion on 25 July 2016. Although it cannot veto the privacy shield, members of the working party will judge any subsequent complaints brought in the EU in relation to its use.

Changes made to the final form of the privacy shield as compared to the Commission’s February 2016 draft include the following:

Clarification on data retention. The rules on data integrity and purpose limitation have been clarified. Personal data processing must be: limited to what is relevant given the purposes for which the data were obtained; reliable for its intended use; accurate; complete; and current. In particular, personal data can be retained only for so long as is necessary given the purposes for which they were originally collected or subsequently authorised.

US mass data collection. The privacy shield provides further clarity from the US government around the bulk collection of data for intelligence purposes, which was a key concern of the working party. Bulk collection is described as the acquisition of a relatively large volume of intelligence data where the intelligence agency cannot use an identifier associated with a specific target, for example, an email address or a telephone number.

However, the US government has given an assurance that bulk collection will only be carried out under specific pre-conditions and will be as targeted and focused as possible (for example, in respect of identified legitimate targets), so will not be either mass or indiscriminate surveillance.

Onward transfers. The privacy shield principles are to apply to sub-processors. In addition, where onward data transfers are made to third parties that act as either a controller or processor, the recipient must contractually agree to notify the data exporter if it can no longer meet its obligations to provide the same level of protection as required by the privacy shield principles.

These rules add to the existing restrictions on onward transfers contained in the privacy shield, which provide that any onward transfers must be for only limited and specified purposes and be on the basis of a contract in which the transferee agrees to provide the same level of protection as that afforded under the privacy shield principles.

Independence of ombudsperson. The ombudsperson is stated to be independent of US intelligence services and will report directly to the Secretary of State who is to ensure that he carries out his functions free from improper influence. In addition, co-operation with oversight bodies with investigatory powers, such as Inspectors General or the US Privacy and Civil Liberties Oversight Board, is stated to ensure that the ombudsperson has access to the expertise necessary to fulfil its role of ensuring independent oversight and individual redress.

Periodic review. The US commits to inform the Commission of material developments in US law where relevant to the privacy shield. Similarly, the Commission is to assess the level of protection provided by the privacy shield following the entry into force of the General Data Protection Regulation (GDPR) in May 2018 (see Briefing "General Data Protection Regulation: preparing for change").

It seems inevitable that changes will need to be made to the privacy shield’s principles to upgrade them to a GDPR level of compliance.

While agreement on the privacy shield will be welcomed by many, it remains to be seen whether the finalised arrangement will meet the concerns of the working party. Attention now turns to the publication of the working party opinion at the end of July 2016.

Whatever its opinion, it seems likely the effectiveness of the privacy shield to meet EU data transfer laws will be challenged through the courts, which may leave organisations cautious about adopting the framework.

That said, the privacy shield should not be discounted for a number of reasons including:

Subject to the working party’s opinion, the privacy shield could prove a useful element of an organisation’s compliance programme, either alone or in combination with other transfer solutions, in the short term at the very least (see feature article "Cross-border transfers of data: changing times").