The EU-USA Privacy Shield, which was adopted on 12 July 2016, is a new framework for protecting the fundamental rights of all EU citizens in the event of their personal data being transferred to the United States. At the same time, it must ensure legal certainty for companies whose activities centre on transfers of data across the Atlantic. As regards the provisions for data transfers for commercial purposes, operators should not have to constantly change compliance models. Despite this, the draft decision has been based on the EU’s existing legal framework, which is to be replaced by Regulation 2016/679 (the General Data Protection Regulation, or GDPR) in May 2018, less than one year after the full implementation by controllers of the Privacy Shield. The GDPR creates and reinforces obligations on controllers which extend beyond the nine principles developed in the Privacy Shield.
What steps does the Commission plan to take to adapt the Privacy Shield to the General Data Protection Regulation, to allow the relevant amendments to be decided in good time, to ensure a sound legal framework and to provide stimulus to Transatlantic relations?