On July 8, the EU Member States adopted the EU-US Privacy Shield by a large majority. In some areas, the EU Commission met the demands of privacy advocates, led by the Article 29 Working Party, and made appropriate changes. Because of these changes, the Article 31 Committee considered the amended EU-US Privacy Shield acceptable.
On July 12, the European Commission adopted the adequacy decision, by which the EU-US Privacy Shield entered into force. It should be noted that this decision is an adequacy decision that in accordance with the Safe Harbor CJEU ruling may be reviewed by the national data protection authorities in individual cases for compliance with applicable data protection law.
In an initial statement, the Article 29 Working Party accepted the EU-US Privacy Shield, but requested that the proposed annual review of the agreement should be used to further improve the mechanism and to eliminate existing points of criticism.
Since August 1, 2016, US companies can now self-certify under the new shield at the U.S. Department of Commerce. This self-certification must be renewed annually. The Privacy Shield list is slowly beginning to fill up, with major US cloud providers already participating.
Criticism of the EU-US Privacy Shield does not stop, so it cannot be excluded that even this new adequacy decision of the EU Commission will be reviewed by the Court of Justice of European Union and may be overturned. From a corporate perspective, the international data transfer to the US and other unsafe third countries remains exciting and further development of the law should be carefully monitored.