EU-US Privacy Shield progress reported

Changes have reportedly been agreed to the proposed Privacy Shield for EU-US personal data transfers. The changes address EU concerns about the adequacy of the arrangements proposed in Privacy Shield texts published in February 2016. These included concerns around redress and oversight mechanisms (including the independence of the Ombudsperson), onward data transfers, data retention, disproportionate collection of bulk data, and derogations for national security and law enforcement purposes (see Legal updates, EDPS publishes Opinion on EU-US Privacy Shield, Article 29 Working Party publishes Opinion on EU-US Privacy Shield and MEPs pass non-legislative resolution voicing concerns over EU-US Privacy Shield).

A revised framework has yet to be officially published, but changes reportedly relate to:

Bulk collection of data. Conditions under which bulk data may be collected and transferred have been further specified and must be "targeted and focused".

Data retention. More rules have been introduced, requiring the deletion of data that no longer serves the original purpose for which it was collected.

Ombudsperson. Changes have been made to address concerns raised about the powers, position and independence of an Ombudsperson.

Once finalised, which according to reports may occur in early July, the Privacy Shield is likely be welcomed by EU data controllers as an option for facilitiating legitimate data transfers to the US. Controllers who depended on the now invalid Safe Harbor framework to legitimise transfers were advised by the EU that EU Standard Contractual Clauses could alternatively be used, but doubt remains as to their validity, which may soon be examined by the ECJ (see Legal update, US government and interested groups seek to join Irish case on EU standard contractual clauses).

For more information, see Practice note, Cross-border transfers of personal data.

Source: BBC news and Wall Street Journal, 24 June 2016.