In the much anticipated first annual review of the EU-US Privacy Shield program, the European Commission concluded that the program continues to provide adequate protection for personal information transferred from Europe to the United States. The Privacy Shield lets EU entities send personal information to participating US companies without running afoul of EU law – law which prohibits the exporting of personal information to entities located in countries whose laws were not deemed “adequate” (except in certain limited circumstances). The US has not been deemed to have “adequate” laws (only a few non-EU countries have been determined adequate, among them Canada, Israel, New Zealand, Switzerland and Uruguay).
The Shield was created last year as a mechanism to permit transfers to participating companies in the US, and was at the time deemed “adequate” by the EU. The mechanism replaced the EU-US Safe Harbor program, which received criticism on the European side for many issues, one of which was being outdated and not regularly reviewed. As a result, the Shield was approved on the condition that it be reviewed annually. There was some concern in this first annual review that the new program might not receive an approval. Those fears proved unfounded, with the recent adequacy decision just issued by the EU. The EU Commission, did, though outline several areas where it believed the program could be improved, including, among other things, ongoing compliance monitoring by the Department of Commerce and joint US-EU awareness raising of the program.
The US maintains a list of participating companies on the Department of Commerce website, which can be accessed here.
PUTTING IT INTO PRACTICE: Companies in the Shield will take comfort in the ongoing adequacy decision, and new participation may increase as a result of the decision. Companies considering the Shield should keep in mind the various steps for participation, of which we have written about in the past.