Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield (notified under document C(2016) 4176) (Text with EEA relevance)

For the purposes of Article 25(2) of Directive 95/46/EC, the United States ensures an adequate level of protection for personal data transferred from the Union to organisations in the United States under the EU-U.S. Privacy Shield.

The EU-U.S. Privacy Shield is constituted by the Principles issued by the U.S. Department of Commerce on 7 July 2016 as set out in Annex II and the official representations and commitments contained in the documents listed in Annexes I, III to VII.

For the purpose of paragraph 1, personal data are transferred under the EU-U.S. Privacy Shield where they are transferred from the Union to organisations in the United States that are included in the ‘Privacy Shield List’, maintained and made publicly available by the U.S. Department of Commerce, in accordance with Sections I and III of the Principles set out in Annex II.

The Commission will continuously monitor the functioning of the EU-U.S. Privacy Shield with a view to assessing whether the United States continues to ensure an adequate level of protection of personal data transferred thereunder from the Union to organisations in the United States.

The Member States and the Commission shall inform each other of cases where it appears that the government bodies in the United States with the statutory power to enforce compliance with the Principles set out in Annex II fail to provide effective detection and supervision mechanisms enabling infringements of the Principles to be identified and punished in practice.

The Member States and the Commission shall inform each other of any indications that the interferences by U.S. public authorities responsible for national security, law enforcement or other public interests with the right of individuals to the protection of their personal data go beyond what is strictly necessary, and/or that there is no effective legal protection against such interferences.

Within one year from the date of the notification of this Decision to the Member States and on a yearly basis thereafter, the Commission will evaluate the finding in Article 1(1) on the basis of all available information, including the information received as part of the Annual Joint Review referred to in Annexes I, II and VI.

The Commission will report any pertinent findings to the Committee established under Article 31 of Directive 95/46/EC.

The Commission will present draft measures in accordance with the procedure referred to in Article 31(2) of Directive 95/46/EC with a view to suspending, amending or repealing this Decision or limiting its scope, among others, where there are indications:

• that the U.S. public authorities do not comply with the representations and commitments contained in the documents annexed to this Decision, including as regards the conditions and limitations for access by U.S. public authorities for law enforcement, national security and other public interest purposes to personal data transferred under the EU-U.S. Privacy Shield,

• of a systematic failure to effectively address complaints by EU data subjects, or

• of a systematic failure by the Privacy Shield Ombudsperson to provide timely and appropriate responses to requests from EU data subjects as required by Section 4(e) of Annex III.

The Commission will also present such draft measures if the lack of cooperation of the bodies involved in ensuring the functioning of the EU-U.S. Privacy Shield in the United States prevents the Commission from determining whether the finding in Article 1(1) is affected.