The EU has approved a new framework for transfers of personal data from the EU to the US, called the EU-US Privacy Shield. The Privacy Shield will replace the old ‘Safe Harbour’, which was ruled invalid in October 2015.
According to the EU, the EU-US Privacy Shield is fundamentally different from the old ‘Safe Harbor’. Like Safe Harbor, it is a self certification process. However, it imposes stronger obligations on companies handling the data to make sure that the rules are followed and enforced in practice.
Also, for the first time, the U.S. has given the EU written assurance that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms and has ruled out indiscriminate mass surveillance of European citizens’ data. Privacy Shield also provides some mechanisms for redress including a specific ombudsman.
Registration for Privacy Shield can begin 1 August 2016. US companies that wish to take advantage of Privacy Shield can benefit from a nine month grace period to get into compliance if they register for Privacy Shield before end September 2016. So this does not give much time to decide about this and take action.
Unfortunately, while Privacy Shield is a very welcome development, it does not mean that the whole vexed issue of transfers from the EU to the US has been resolved. The Article 29 Working Party – made of the European data protection regulators – have been critical of certain aspects of Privacy Shield, which raises the possibility that Privacy Shield will itself be subject to challenge at some point.
In addition, the EU Model Clauses – the main enabling solution for transfers of personal data from the EU – has also been referred to the EU court by the Irish data protection regulator and could possibly suffer the same fate as Safe Harbor.
Privacy Shield – progress, but not the legal certainty that businesses need.