EU-US Privacy Shield first annual review announced following a challenging introduction

On 12 July 2016, the European Commission adopted an “adequacy decision” allowing for the transatlantic transfer of personal data from the EU to the US in accordance with the framework and principles of the EU-US Privacy Shield (the "Privacy Shield").

Two privacy advocacy groups have however since filed actions in the European General Court to annul the adequacy decision. On 28 October 2016 the Irish privacy advocacy group, Digital Rights Ireland, filed an "action for annulment" on the basis that the Privacy Shield does not sufficiently protect the privacy rights of EU citizens. If successful, the action would invalidate the European Commission's adequacy decision that approved and adopted the Privacy Shield. The group filed the challenge in the General Court based in Luxembourg, the second highest EU Court after the CJEU. A further challenge was also filed in the General Court by a French civil society group at the end of October 2016. It could take the General Court twelve months or more before a decision is handed down. 

More recently, in April 2017, the EU justice commissioner, Vera Jourovà confirmed the first annual joint review of the Privacy Shield will be conducted by the Commission and the US Department of Commerce in September 2017. Following the review, the Commission will issue a public report to the European Parliament and the Council of the EU. The European Parliament has also adopted a non-legislative resolution which outlines its concerns on the adequacy of the protection afforded by the Privacy Shield and calls on the Commission to conduct a "thorough and in-depth examination of [its] shortcomings".

Whilst over 2000 US companies are currently certified under the Privacy Shield scheme, in light of the above challenges (and the referral of the so-called Model Clauses to the Court of Justice of the European Union), we still await and welcome further clarification regarding the status of international data transfers. In the meantime, whilst some organisations are currently dealing with this uncertainty by taking a hybrid approach and using a combination of different data transfer options, others are likely to just closely follow any developments and alternative mechanisms subsequently suggested.