Agreement on the transfer of personal data to the USA

On 12 July 2016 the European Commission took a decision to implement an agreement between the United States and the European Union on the transfer of personal data to the USA ("Privacy Shield”). This agreement replaces the Safe Harbor agreement, which the Court of Justice of the European Union found incompliant with EU laws.

Privacy Shield regulations apply to companies based in the USA that receive data from the EU in order to guarantee that privacy is protected during data processing. Data processing by entities based in the USA will be supervised by the US Department of Commerce. The Department will also be responsible for keeping and regularly updating a list of companies participating in the Privacy Shield programme and for assessing whether their data processing complies with Privacy Shield principles.

US entities can receive personal data under the Privacy Shield once they obtain certification from the US Department of Commerce. To obtain certification, the applicant will have to, inter alia, provide the Department with a detailed description of operations carried out on the personal data of EU citizens, publicise its privacy policy and commit to adhere to Privacy Shield principles.

The new agreement also imposes restrictions on US security services and authorities accessing the personal data of Europeans. It also enables Europeans to claim their rights in the USA if their privacy is breached by US authorities or services, inter alia, by appointing a US ombudsman to deal with claims that US intelligence services have illegally accessed personal data.

Although the agreement came into force on the day it was adopted, US companies can start applying for Privacy Shield certification from 1 August 2016.