The European Commission, as of the 12 July, has formally adopted a new framework for transferring data between the European Union (EU) and the United States (US) – the EU-US Privacy Shield – eight months after the landmark decision in the case of Schrems v Irish Data Protection Commissioner ruled the Safe Harbor mechanism as invalid.
What was Safe Harbor?
Safe Harbor was the agreed standard companies were required to meet in order to adequately protect data which was transferred from Europe to the USA. The Schrems case declared that the Safe Harbor mechanism was not an adequate means of transferring transatlantic data and did not provide sufficient protection to European citizens' personal data, thus the mechanism was invalid.
Safe Harbor was relied on by a large number of US companies, thus since the Schrems decision, the European Commission and the US authorities have been working to find an alternative to Safe Harbor. Welcome the EU-US Privacy Shield!
What is the EU-US Privacy Shield?
The new framework is intended to provide robust protection for European citizens whose data is being transferred to the US and places a number of safeguards on the US authorities regarding their access to the personal data of Europeans to ensure their data is adequately protected.
It has been difficult to align the views of the EU and the US on privacy which is why it has taken from October last year until now to formalise an agreement.
In February, the European Commission published the legal texts which were scrutinised by the Article 29 Working Party (consisting of EU member states data protection regulators) and the European Parliament. Notably, when the Article 29 Working Party released their review of the framework back in April they were highly critical of the draft voicing concern over the "massive and indiscriminate" bulk collection of data by the US authorities and the independence of the US ombudsman. (For further information on the Working Party's concerns see our previous blog 'When is a shield not a shield?').
After weeks of discussions back and forth between negotiators for the EU and the US an agreement has finally been reached, taking into account the criticisms of the Article 29 Working Party. Vera Jourova, the European Commissioner for Justice has announced that the new EU-US Privacy Shield "brings stronger data protection standards" which will "restore the trust of consumers when their data is transferred across the Atlantic."
The new Privacy Shield has gone further in protecting the individual rights of data subjects by imposing stronger rules regarding US mass surveillance, increasing the independence of the US ombudsman from US national authorities and imposing clear safeguards on the protection of EU citizen's data from US authorities.
What happens next?
As with Safe Harbor, US companies will have to self-certify under the Privacy Shield regime which they will be able to do from the 1st of August. Companies should begin to assess how the implementation of the new EU-US Privacy Shield will affect their business.
Comments have already been made as to whether the new Privacy Shield will in fact provide adequate protection in EU-US data transfers. Therefore, it probably will not be long before the Privacy Shield, like Safe Harbor, is challenged in court. Watch this space!
Disclaimer
The material contained in this article is of the nature of general comment only and does not give advice on any particular matter. Recipients should not act on the basis of the information in this e-update without taking appropriate professional advice upon their own particular circumstances.
