EU DPAs: Further improvements required for EU-US Privacy Shield

The EU Data Protection Authorities say that they welcome the changes made to the EU-US Privacy Shield’s final version. But several concerns remain regarding both the commercial aspects and the access by US public authorities to data transferred from the EU. The DPAs point out that there is a lack of specific rules on automated decisions and of a general right to object. It also remains unclear how the Privacy Shield Principles will apply to processors, they say. The DPAs would also like to see stricter guarantees concerning the independence and the powers of the Ombudsperson, and say that the first joint annual review will be ‘a key moment for the robustness and efficiency of the Privacy Shield mechanism to be further assessed’. The results of the first joint review regarding access by US public authorities to data transferred under the Privacy Shield may also impact transfer tools such as Binding Corporate Rules and Standard Contractual Clauses, they say.

The European Commission adopted the EU-US Privacy Shield adequacy decision on 12 July. It will apply also to data transfers from the three European Economic Area countries (Norway, Iceland and Liechtenstein) to the US.

The DPAs will soon provide information to data controllers about their obligations under the Shield.