Is Privacy Shield still adequate for data transfers to the US?

In July 2016, the European Commission formally adopted Privacy Shield, a new framework for exchanges of personal data between the EU and US for commercial purposes. This means that Privacy Shield is approved by the EC as an adequate means of transferring personal data from the EEA to the US. This remains the position until the EC decides to change its adequacy decision. 

In October 2017, the EC published its annual report on the functioning of the Privacy Shield. The report’s conclusion was that whilst the US continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield from the Union to organisations in the US, some further improvements could be made to the practical implementation of the Privacy Shield framework. 

More recently the civil liberties committee and MEPs have been calling for a suspension and review of Privacy Shield following the Facebook – Cambridge Analytica data breach. 

For now, Privacy Shield is an adequate means of transferring personal data to the US, but businesses who use third party processors in the US should keep an eye out for changes to this position, in particular, in the annual review this autumn.