On June 29, 2016, Politico reported that it has obtained updated EU-U.S. Privacy Shield documents following the latest negotiations between U.S. and EU government authorities. Certain aspects of the prior Privacy Shield framework were criticized by the Article 29 Working Party, the European Parliament and the European Data Protection Supervisor.
Although there has been no official confirmation that the updated documents reflect the latest iteration of the Privacy Shield framework, the documents do address some of the criticisms levied by various European authorities. For example, the updated Privacy Shield documents:
- clarify that the Privacy Shield applies to personal data transferred from Iceland, Liechtenstein and Norway in addition to the EU Member States;
- require Privacy Shield-certified companies to include a provision in onward transfer contracts obligating the recipient to notify the Privacy Shield-certified company if the recipient can no longer provide the same level of protection as required by the Privacy Shield principles; and
- include an express obligation for Privacy Shield-certified companies to delete or de-identify personal data after it is no longer relevant for the purposes of processing or compatible purposes, with limited exceptions (e.g., processing for public interests).
According to Politico, the Article 31 Committee’s vote on the EU-U.S. Privacy Shield framework will take place on July 8, before being formally adopted by the European Commission on July 11. Then, European Commissioner Jourová and U.S. Secretary of Commerce Penny Pritzker are expected to formally sign the deal and present it to the public on July 12.