EU-US data transfers: Privacy Shield to replace Safe Harbor

Under the existing regulations, personal data can only be transferred to a country or territory outside the European Economic Area (EEA) if that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects, and thus ensures protection of personal data in accordance with the protection standards offered within the EEA.

This being stated, the US is not considered as offering an adequate level of protection of personal data. Thus, any transfer of personal data from the EU to the US is subject to restrictions. Until October 2015, in order to ease transatlantic relations, an US-EU Safe Harbor framework allowed for any transfer of personal data to a business or organization in the US, provided the recipients adhered to the so-called “Safe Harbor principles”.

Since the adoption of the Safe Harbor framework, the adequacy of the level of protection guaranteed by the scheme has been called into question by human rights groups and scholars.

Background: CJEU ruled the Safe Harbor framework as invalid

On October 6, 2015, the CJUE issued a ruling in the case Schrems v. Data Protection Commissioner (Case C-362/14) declaring invalid the European Commission’s Decision 2000/520/EC of 26 July 2000, which formed the basis of data transfers between the EU and the US.

The decision came after revelations made by Edward Snowden in 2013 concerning the activities of the United States intelligence services (in particular the National Security Agency - the NSA), which demonstrated that the law and practices of the US offer no real protection against surveillance by the US of the data transferred to that country.

A new framework for transatlantic data flows

On February 2, 2016, the European Commission announced that it had reached a political agreement with the United States Department of Commerce to replace the invalid Safe Harbor agreement with a new ‘EU-US Privacy Shield’ (the Privacy Shield).

Commissioner Jourová stated that the Privacy Shield is part of wider effort to restore trust in transatlantic data flows. Indeed, the Privacy Shield, which has yet to be formally adopted by both the European Commission and the United States Department of Commerce, will enable US companies to receive, store and use personal data from Europe based on specific rules.

Below are the key objectives of the Privacy Shield, which aims to:

  • impose stronger obligations on US companies to process European data;
  • provide stronger monitoring and enforcement by the United States Department of Commerce and the Federal Trade Commission;
  • make commitments regarding access to information on the part of public authorities;
  • allow EU citizens to file complaints with the United States Department of Commerce and the Federal Trade Commission. In addition, any citizen shall be granted the right to an alternative dispute resolution mechanism, free of charge.

What are the next steps?

The College of Commissioners mandated Vice-President Ansip and Commissioner Jourová to prepare a draft Privacy Shield agreement, to be adopted by the College of Commissioners after obtaining the advice of the Article 29 Working Party.

The agreement will then need to be passed by the European Commission in the form of a decision.

On the US side, the United States Department of Commerce is working to implement the agreed-upon mechanisms.

In the meantime, the Article 29 Working party approved the use of model contractual clauses and binding corporate rules to legitimize transatlantic data flows.