E.U.-U.S. "Privacy Shield" Update, Part II

 Posted by Matt CorneliaE.U. law restricts the transfer of personal information outside of the E.U. unless adequate safeguards are in place.  Last October, the European Court of Justice determined that the system of safeguards being used by most companies, known as the “Safe Harbor,” failed to provide an adequate level of security, creating uncertainty and risk for companies that transfer customer, employee, or other personal data across the Atlantic. Since then, officials from the E.U. and the U.S. have been working to devise a new set of privacy safeguards.At the time of my last post, the E.U. and U.S. had agreed in principle and released the text of the E.U.-U.S. Privacy Shield. I noted that the text of Privacy Shield calls for significant improvements over the now-defunct Safe Harbor framework. Still, Privacy Shield does not officially provide an “adequate level of protection” until the European Commission releases an adequacy decision.On March 17, the E.U. Parliament held hearings related to Privacy Shield. There, representatives from several prominent E.U. data protection authorities voiced their concerns about it. Unfortunately, these concerns injected additional uncertainty into the process, making further negotiations almost inevitable before Privacy Shield can be adopted.More recently, on April 13, the E.U. Article 29 Data Protection Working Party released its opinion and draft adequacy decision regarding Privacy Shield. It expresses concern that Privacy Shield information is difficult to find, and at times inconsistent, leading to an overall lack of clarity regarding the new framework. It further opined that Privacy Shield did not reflect some of the key data protection principles outlined in European law. As a result, the Working Party concluded that clarifications and improvements are necessary before Privacy Shield can be approved as adequate.Attorneys at Thompson & Knight continue to follow these developments. If you have additional questions, please contact one of Thompson & Knight’s Cybersecurity attorneys.