The European Commission has now published draft texts that could be used to implement an EU/US Privacy Shield to replace the previous Safe Harbor agreement. It appears that the new scheme would only cover “commercial exchanges” of personal data between the EU and US so it is unlikely to be appropriate for export of personal data to US universities or non-profit organisations. As with Safe Harbor, those need to be covered by other approved export mechanisms such as model contracts or individual consent.
For the Privacy Shield to be acceptable as a means of transfer to US companies, it will first need to be approved by the Article 29 Working Party of European Data Protection regulators. They are expecting to report in mid-April. But, like Safe Harbor, their decision could still be challenged in the European Court of Justice, so legal uncertainty is likely to persist around any new mechanism for some time.
Any organisation exporting personal data, whether to the US or elsewhere, should aim to provide a range of data protection measures, rather than relying on any single one.
