0370 270 6000

already registered?

Please sign in with your existing account details.

need to register?

Register to access exclusive content, sign up to receive our updates and personalise your experience on brownejacobson.com.

Privacy statement - Terms and conditions

Privacy Shield - uncertainties remain

12 September 2016

On 12 July 2016, the European Commission adopted the EU-US Privacy Shield as a replacement for the Safe Harbor mechanism, which had previously been declared invalid by the Court of Justice of the EU.

Around two weeks after the Commission’s announcement, the Article 29 Working Party (the EU Data Protection Regulators) issued their statement on the decision. Although not fully endorsing Privacy Shield, and expressing concerns over a number of issues, the Working Party agreed not to launch any legal challenge to it for at least a year.

The US Department of Commerce (DoC) began to accept applications from US companies to sign up to Privacy Shield on 1 August. The number of applications and acceptances has been impressive. In a period of just one calendar month, the DoC has decided that the privacy policies of 103 US companies comply with the Privacy Shield standards. As of 1 September, the DoC confirmed that it was also reviewing the policies of a further 190 companies and additional 250 companies were submitting their policies.

The numbers of those who have been successful in applying, and who are waiting in line, is testament to the attractiveness of Privacy Shield to US companies who process personal data from the EU.

One significant point is that although the DoC is determining whether a company’s policy meets the Privacy Shield standard it is not considering the more important issue of whether the applicant companies comply with those privacy policies. Drafting a compliant policy is a relatively easy step. Complying with it is another thing entirely.

The Commission and the US Government are happy with Privacy Shield. Andrus Ansip confidently stated that “it will protect the personal data of our people and provide clarity for businesses.” The US Secretary of Commerce Penny Pritzker said that it "is a tremendous victory for privacy, individuals, and businesses on both sides of the Atlantic.", The Article 29 Working Party is content for now, and US companies are signing up in significant numbers.

However, two unanswered questions remain. Will EU data controllers be willing to rely on a data importer’s Privacy Shield certification? How will data subjects react to a data controller transferring their information under that mechanism?

EU data controllers remain legally responsible for the transferred data. Knowing that a US company has had its privacy policy vetted and accepted by the DoC is an important step. But, a controller considering transferring data under the Privacy Shield would be wise to undertake their own due diligence to ensure that their data is being appropriately protected by the importing US company. No doubt, some controllers will insist on additional measures or alternative methods to protect their data.

Although the regulators may be granting Privacy Shield a year’s grace, and as Max Schrems has demonstrated, individual data subjects can exercise their rights to influence EU data protection law. Data subjects could potentially challenge a data controller’s reliance on Privacy Shield. Such individuals, unhampered by the Working Party’s grace period, could bypass EU data protection regulators and seek to test Privacy Shield’s validity through the courts.

There is no doubt that personal data will continue to flow across the Atlantic. The uncertainty lies in whether the flow will be interrupted.

training and events


Roads to China - strategies for building effective relationships with China Aston Business School, Aston University, Aston Triangle, Birmingham, B4 7ET

Join our speaker Zo Hoida at the ‘Roads to China’ Birmingham China Business Forum event, in collaboration with Universities and industry leaders, which aims to build on the Midlands Engine China Strategy to establish a realistic and practical China Strategy.

View event

focus on...

Legal updates

Joint committee publishes its report on the draft Registration of Overseas Entities Bill

Recently the House of Lords and House of Commons Joint Committee on the draft Registration of Overseas Entities Bill (Bill) published its report on the draft Bill following pre-legislative scrutiny.


Legal updates

Freelance Solicitors not subject to Minimum Terms

As part of the SRA’s ‘Looking to the Future’ programme, from November 2019 solicitors who provide reserved legal activities who wish to practise on their own have the option to go freelance. Freelance solicitors will be a new class of solicitor.


Legal updates

Charity Commission opens inquiry into care charity following Coroner's report

In May 2016 an inquest into the charity’s care was opened following the death of Sophie Bennett.


Legal updates

The biggest change to the UK companies register since 1844?

On 5 May 2019 BEIS (the Department for Business, Energy & Industrial Strategy) published a consultation on options to enhance the role of Companies House and increase the transparency of UK corporate entities.


The content on this page is provided for the purposes of general interest and information. It contains only brief summaries of aspects of the subject matter and does not provide comprehensive statements of the law. It does not constitute legal advice and does not provide a substitute for it.

mailing list sign up

Select which mailings you would like to receive from us.

Sign up