We’ve got some good news and some bad news regarding the EU-US Privacy Shield, the trans-Atlantic data transfer framework approved by regulators in July of 2016. The good news first: The U.S. Department of Commerce recently approved DiscoverReady’s Privacy Shield self-certification submission, which means that our clients may lawfully transfer personal data from the EU to us in connection with our work for them. You can review our self-certification here.
EU-US Privacy Shield News
Now the bad news: At least two lawsuits have been filed challenging the adequacy of the Privacy Shield framework. The first was brought by Digital Rights Ireland, a privacy advocacy and lobbying group. The lawsuit alleges that certain U.S. laws which permit the government to access personal information (in some instances, secretly) are inconsistent with EU laws protecting individual rights. Accordingly, the suit requests annulment of the decision approving the Privacy Shield framework. In a separate filing, the French digital rights group La Quadrature du Net challenges the effectiveness of the U.S. Ombudsman in dealing with Privacy Shield complaints, alleging that the Ombudsman is not sufficiently independent.
These legal challenges to Privacy Shield were not unexpected, however. In the wake of the framework’s approval, many privacy rights advocates criticized the agreement, alleging that it didn’t go far enough to correct the failings of the former Safe Harbor framework. So, while many U.S. organizations—including DiscoverReady—welcome the new framework and rely on its protocols, companies that routinely transfer personal information from the EU to the U.S. should still consider alternate methods of compliance with EU law, such as model contract clauses and binding corporate rules.
We’ll continue to monitor developments around the Privacy Shield challenges, and provide updates here on the blog.