Skip to the content


EU-US Privacy Shield made into law - So what happens now?

EU-US Privacy Shield

​The recent Brexit vote has thrown up a number of hugely pressing questions that will be at the very top of the agenda within the corridors of power of the UK government.

Preserving the UK's economic might will be one of the key priorities for new prime minister Theresa May, with technology expected to be at the forefront.

Handling and storing data has become one of the most important aspects relating to how many modern companies conduct their business, with organisations accumulating more information than ever before.

July 12th saw the European Commission officially adopt the EU-US Privacy Shield as law, with the measures aiming to protect the fundamental rights of anyone in the EU whose personal data is dealt with by the United States.

It also aims to bring clarity on the legal position for businesses that rely on transatlantic data transfers.

Upon the introduction of the new measure, Andrus Ansip, Commission vice-president for the Digital Single Market, said: "We have approved the new EU-U.S. Privacy Shield today. It will protect the personal data of our people and provide clarity for businesses. We have worked hard with all our partners in Europe and in the US to get this deal right and to have it done as soon as possible. Data flows between our two continents are essential to our society and economy – we now have a robust framework ensuring these transfers take place in the best and safest conditions".

Companies handling data under the arrangements will fall under a number of obligations, with the US Department of Commerce conducting regular updates and reviews of participating companies, in order to ensure that the rules are being followed.

If the US government does choose to access such information, the new directive will ensure there is greater transparency. It is perhaps worth remembering that the US has largely ruled out opting for indiscriminate mass surveillance on personal data transferred.

Indeed the rights of individuals will be protected under the measures, meaning that any citizen that suspects their data has been misused will have access to several dispute resolution mechanisms.

Organisations will have around two years to prepare and act as data borrowers and not owners. Under the measures data cannot be owned and is instead on loan, meaning customers can monitor how that information is used, decide who accesses it and can even demand its return. Companies will have to display the ability to audit and control the relevant processes.

A key process that will be at the centre of the new regulations is the requirement for companies to report any data breaches within 72 hours of it occurring. It means that many will have to ensure they have a plan in place.

Worryingly, a recent Cloud Security Alliance survey found that only 44.5 per cent of organisations said they had a process in place.

Failure to comply will see companies face heavy fines, with the new law set to raise the maximum fine to four per cent of its global revenue or €20 million, whichever is higher.

Despite the recent Brexit vote, the UK is by no means exempt from the new rules, with the measures covering the every current member of the EU, including the UK.