Maria Grapini, Member of the European Parliament, asked the European Commission what measures the Commission is planning to adapt the EU-US Privacy Shield, which exists since July 2016, in order to comply with the (partly new) requirements of the upcoming General Data Protection Regulation (GDPR).
The Privacy Shield is based on an adequacy decision by the Commission, just like the former Safe Harbor framework which was invalidated by the European Court of Justice (ECJ). The Privacy Shield provides one possibility to legally transfer personal data from the European Union to companies in the USA, self-certified under the Privacy Shield framework.
In her answer, Justice Commissioner Jourová expressed a rather optimistic view.
Firstly, the Commission refers to the standards for an adequacy finding to ascertain that a third country ensures “a level of protection that is essentially equivalent to that guaranteed within the European Union”.
According to Art. 25 para 6 of the current EU Data Protection Directive (95/46/EC), the Commission may find that a third country ensures an adequate level of protection by reason of its domestic law or of the international commitments it has entered into for the protection of the private lives and basic freedoms and rights of individuals.
In its answer, the Commission refers to the decision by the ECJ in the Schrems case (C-362/14) and its interpretation of Art. 25 para 6. According to the ECJ, the word “adequate” signifies that
a third country cannot be required to ensure a level of protection identical to that guaranteed in the EU legal order.
However, the term “adequate level of protection” must be understood as requiring the third country in fact to ensure a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union.
According to the Commission, this means that it is not necessary for the third country in question to have data protection rules which are a “photocopy” of the EU system. It is especially not necessary that each individual provision in European data protection law is reflected in the third country’s legal order.
Secondly, the Commissioner further comments on the question of the continuation of existing adequacy decisions under the future GDPR. The Commission emphasizes that the GDPR rests on the same core principles, rights and obligations as Directive 95/46/EC.
The Privacy Shield framework already reflects these core elements.
The Commission is therefore assuming that the EU-US Privacy Shield adequately respects the data protection principles, rights and obligations of the future GDPR in order to fulfill the requirements for an adequacy decision as of May 2018.
However, the Commission points to Recital 146 of the EU-US Privacy Shield, according to which it will assess whether there might be a need to adapt the Privacy Shield decision in the light of the entry into application of the GDPR. According to Justice Commissioner Jourová, this will also form part of the discussions with the U.S. authorities in the context of the annual review planned for the second half of 2017.