0370 270 6000

already registered?

Please sign in with your existing account details.

need to register?

Register to access exclusive content, sign up to receive our updates and personalise your experience on brownejacobson.com.

Privacy statement - Terms and conditions

Privacy Shield - uncertainties remain

12 September 2016

On 12 July 2016, the European Commission adopted the EU-US Privacy Shield as a replacement for the Safe Harbor mechanism, which had previously been declared invalid by the Court of Justice of the EU.

Around two weeks after the Commission’s announcement, the Article 29 Working Party (the EU Data Protection Regulators) issued their statement on the decision. Although not fully endorsing Privacy Shield, and expressing concerns over a number of issues, the Working Party agreed not to launch any legal challenge to it for at least a year.

The US Department of Commerce (DoC) began to accept applications from US companies to sign up to Privacy Shield on 1 August. The number of applications and acceptances has been impressive. In a period of just one calendar month, the DoC has decided that the privacy policies of 103 US companies comply with the Privacy Shield standards. As of 1 September, the DoC confirmed that it was also reviewing the policies of a further 190 companies and additional 250 companies were submitting their policies.

The numbers of those who have been successful in applying, and who are waiting in line, is testament to the attractiveness of Privacy Shield to US companies who process personal data from the EU.

One significant point is that although the DoC is determining whether a company’s policy meets the Privacy Shield standard it is not considering the more important issue of whether the applicant companies comply with those privacy policies. Drafting a compliant policy is a relatively easy step. Complying with it is another thing entirely.

The Commission and the US Government are happy with Privacy Shield. Andrus Ansip confidently stated that “it will protect the personal data of our people and provide clarity for businesses.” The US Secretary of Commerce Penny Pritzker said that it "is a tremendous victory for privacy, individuals, and businesses on both sides of the Atlantic.", The Article 29 Working Party is content for now, and US companies are signing up in significant numbers.

However, two unanswered questions remain. Will EU data controllers be willing to rely on a data importer’s Privacy Shield certification? How will data subjects react to a data controller transferring their information under that mechanism?

EU data controllers remain legally responsible for the transferred data. Knowing that a US company has had its privacy policy vetted and accepted by the DoC is an important step. But, a controller considering transferring data under the Privacy Shield would be wise to undertake their own due diligence to ensure that their data is being appropriately protected by the importing US company. No doubt, some controllers will insist on additional measures or alternative methods to protect their data.

Although the regulators may be granting Privacy Shield a year’s grace, and as Max Schrems has demonstrated, individual data subjects can exercise their rights to influence EU data protection law. Data subjects could potentially challenge a data controller’s reliance on Privacy Shield. Such individuals, unhampered by the Working Party’s grace period, could bypass EU data protection regulators and seek to test Privacy Shield’s validity through the courts.

There is no doubt that personal data will continue to flow across the Atlantic. The uncertainty lies in whether the flow will be interrupted.

training and events


In house lawyers' forum Nottingham office

Hear from our experienced lawyers in the next in house lawyers' forum.

View event


Trustee Training Programme 2019 The Hospitium, Museum Gardens, York

The House of Lords Select Committee Report on Charities specifically recommended that all trustees and senior management should embrace ongoing training and development.

These seminars offer a comprehensive introduction for new trustees as well as a useful refresher for existing trustees, ensuring they are fully aware of their legal and financial responsibilities as trustees.

View event

focus on...

State aid and IP in R&D agreements - hear from our panel of experts

As private businesses, public bodies and universities alike strive to gain a competitive advantage, each increasingly look to each other to develop next generation products and services.


Legal updates

Changes to Tier 1- Introducing the New ‘Innovator’ and ‘Start-up' visas

The Home Office recently announced substantial changes to Tier 1 of the PBS.


Brexit resources

How will Brexit affect businesses from an immigration perspective?

Now that the Brexit negotiations are in full swing, we have set out below our updated advice on some of the most common questions we see surrounding the potential impact of Brexit on employment and business immigration.

View brexit resources

Brexit resources

Managing robust public procurement exercises

The Cabinet Office has issued further guidance in relation to applying exclusions in public procurement, managing conflicts of interest and whistleblowing.

View brexit resources

The content on this page is provided for the purposes of general interest and information. It contains only brief summaries of aspects of the subject matter and does not provide comprehensive statements of the law. It does not constitute legal advice and does not provide a substitute for it.

mailing list sign up

Select which mailings you would like to receive from us.

Sign up