0370 270 6000

already registered?

Please sign in with your existing account details.

need to register?

Register to access exclusive content, sign up to receive our updates and personalise your experience on brownejacobson.com.

Privacy statement - Terms and conditions

Privacy Shield - uncertainties remain

12 September 2016

On 12 July 2016, the European Commission adopted the EU-US Privacy Shield as a replacement for the Safe Harbor mechanism, which had previously been declared invalid by the Court of Justice of the EU.

Around two weeks after the Commission’s announcement, the Article 29 Working Party (the EU Data Protection Regulators) issued their statement on the decision. Although not fully endorsing Privacy Shield, and expressing concerns over a number of issues, the Working Party agreed not to launch any legal challenge to it for at least a year.

The US Department of Commerce (DoC) began to accept applications from US companies to sign up to Privacy Shield on 1 August. The number of applications and acceptances has been impressive. In a period of just one calendar month, the DoC has decided that the privacy policies of 103 US companies comply with the Privacy Shield standards. As of 1 September, the DoC confirmed that it was also reviewing the policies of a further 190 companies and additional 250 companies were submitting their policies.

The numbers of those who have been successful in applying, and who are waiting in line, is testament to the attractiveness of Privacy Shield to US companies who process personal data from the EU.

One significant point is that although the DoC is determining whether a company’s policy meets the Privacy Shield standard it is not considering the more important issue of whether the applicant companies comply with those privacy policies. Drafting a compliant policy is a relatively easy step. Complying with it is another thing entirely.

The Commission and the US Government are happy with Privacy Shield. Andrus Ansip confidently stated that “it will protect the personal data of our people and provide clarity for businesses.” The US Secretary of Commerce Penny Pritzker said that it "is a tremendous victory for privacy, individuals, and businesses on both sides of the Atlantic.", The Article 29 Working Party is content for now, and US companies are signing up in significant numbers.

However, two unanswered questions remain. Will EU data controllers be willing to rely on a data importer’s Privacy Shield certification? How will data subjects react to a data controller transferring their information under that mechanism?

EU data controllers remain legally responsible for the transferred data. Knowing that a US company has had its privacy policy vetted and accepted by the DoC is an important step. But, a controller considering transferring data under the Privacy Shield would be wise to undertake their own due diligence to ensure that their data is being appropriately protected by the importing US company. No doubt, some controllers will insist on additional measures or alternative methods to protect their data.

Although the regulators may be granting Privacy Shield a year’s grace, and as Max Schrems has demonstrated, individual data subjects can exercise their rights to influence EU data protection law. Data subjects could potentially challenge a data controller’s reliance on Privacy Shield. Such individuals, unhampered by the Working Party’s grace period, could bypass EU data protection regulators and seek to test Privacy Shield’s validity through the courts.

There is no doubt that personal data will continue to flow across the Atlantic. The uncertainty lies in whether the flow will be interrupted.

focus on...

Legal updates

Prohibition on corporate directors – what’s the latest?

As we have previously reported, the provisions of the Small Business, Enterprise and Employment Act 2015 (SBEEA) will require all company directors to be natural persons and prohibit the appointment of corporate directors (subject to certain exceptions).


Legal updates

Entrepreneurs Relief from CGT: changes to the 'personal company' tests on share sales

When individual employees or directors sell shares in a trading company, or a holding company of a trading group, they may be able to claim entrepreneurs relief ('ER') from CGT on the sale of their shares in that company.



How will Brexit affect businesses from an immigration perspective?

Now that the Brexit negotiations are in full swing, we have set out below our updated advice on some of the most common questions we see surrounding the potential impact of Brexit on employment and business immigration.

View brexit

Legal updates

Practical tips for local government re-organisation

Local government re-organisation and the transition from two tiers of local government in to a single tier unitary authority is a big undertaking, which necessitates looking at numerous practical considerations.


The content on this page is provided for the purposes of general interest and information. It contains only brief summaries of aspects of the subject matter and does not provide comprehensive statements of the law. It does not constitute legal advice and does not provide a substitute for it.

mailing list sign up

Select which mailings you would like to receive from us.

Sign up