EU Regulators Set April to Rule on U.S. Privacy Shield

The Telecommunications Law Resource Center is the most comprehensive reference and news platform for communications law, covering broadcasting, cable, broadband, telephony and wireless;...

By Stephen Gardner

March 1 — Much is riding on a crucial opinion on the legality of a new European Union to U.S. data transfer mechanism that EU privacy regulators said will be released in mid-April.

In a statement dated Feb. 29 but published March 1, the Article 29 Working Party of data protection officials from the 28 EU member states will issue at a plenary meeting April 12-13 its opinion on the European Commission's draft adequacy decision on the EU-U.S. Privacy Shield transatlantic data transfer arrangement.

The opinion is significant because it will influence the finalization of the adequacy decision. A commission official who asked not to be named told Bloomberg BNA March 1 that the Art. 29 opinion was “not legally binding, but they are important players.”

Safe Harbor Replacement

The Working Party said it welcomed the draft adequacy decision, and would assess it to “analyze the safeguards provided for in the arrangement on both the commercial aspects and the limitations for national security, public interests and law enforcement purposes.”

The European Commission, the EU's executive arm, published the draft adequacy decision Feb. 29, finding that the EU-U.S. Privacy Shield arrangement should be considered adequate to protect the privacy of EU citizens whose data is transferred to the U.S. by companies that self-certify under the Privacy Shield .

The Privacy Shield is the replacement transfer mechanism for the U.S.-EU Safe Harbor program, under which thousands of U.S. companies and their EU partners relied on as their legal cover for data transfers to the U.S. The European Court of Justice invalidated Safe Harbor in October 2015 on the basis that is did not sufficiently protect the privacy rights of EU data subjects.

Final Approval May Be Months Away

The commission official said that the Art. 29 opinion would be considered by a regulatory committee of EU member state representatives, which must approve the Privacy Shield adequacy decision by a qualified majority in order for the commission to finalize and adopt it.

There has been no date set for the regulatory committee vote, and the finalization of the Privacy Shield decision would likely be “a question of months,” the commission official said.

Certification under the Privacy Shield would require companies to demonstrate that they comply with seven data protection principles that summarize EU data protection law, according to the commission's draft adequacy decision.

To contact the reporter on this story: Stephen Gardner in Brussels at

To contact the editor responsible for this story: Donald G. Aplin at