Data Protection – the EU-US “Privacy Shield” is here – for now!
In February we commented on the agreement reached between the EU and US authorities on a new framework for transatlantic data flows, called the “EU-US Privacy Shield”. This would allow the transfer of personal data from EU countries to the USA, where other legal justifications for this are not available.
The background, to recap, is that it is illegal to transfer personal data from EU countries to countries which do not have an equivalent level of legal protection, the USA being one of them. The previous scheme which purported to permit this, the “Safe Harbor”, was held invalid by the European Court in 2015, following the disclosures by Edward Snowden of mass surveillance of personal data by the US authorities.
What has happened since February is that, in response to concerns expressed regarding the Privacy Shield agreement, further modifications to the new arrangements have been made, and further assurances have been given by the US authorities, which enabled the EU Commission to make a decision as to the adequacy of the new arrangements.
The Privacy Shield arrangements involve new legal rights for EU citizens under the Judicial Redress Act, with the appointment of an Ombudsman (a new concept for the USA) and arbitration provisions. US companies will be able to self-certify from 1st August, and will have nine months to adjust their contracts.
It is possible that legal attacks will be made against the new scheme, and it may take time for US companies to make use of it, so entities in the EU should consider their position. The authorities in Germany have been fining companies for non-compliance, although the UK’s Information Commissioner’s Office has taken a more laid back approach.
The UK is, of course, still a member of the EU, notwithstanding the Brexit vote, but UK businesses will not be able to use the Privacy Shield after we exit the EU. Where we will be on this issue in just over two years’ time is anyone’s guess at the moment.