Data Protection – Update on the US “Safe Harbor” scheme
Last October we reported on the demise of the EU-US “Safe Harbor” scheme, as a result of the decision of the European Court of Justice (ECJ) in the case of Maximilian Schrems v Data Protection Commissioner of Ireland. The ECJ held that the “Safe Harbor”, which has been used by many EU and US businesses to justify transatlantic transfers of personal data since 2000, was invalid because the US public authorities were not bound by the scheme, and this compromised the fundamental human right of EU citizens to respect for their private lives.
Amidst the ensuing uncertainty, national data protection authorities (including the UK Information Commissioner’s Office) have advised data exporters not to worry overly, and the EU Commission has now announced (on 2 February 2016) that it has reached agreement with the US authorities on a new framework for transatlantic data flows, called the “EU-US Privacy Shield”.
The main points are:
- The US has given (or will give) the EU binding assurances that the access of US public authorities to personal data for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms (apparently including a new Ombudsperson, or similar)
- EU citizens will benefit from redress mechanisms in this area.
The US has also given assurances that it “does not conduct mass or indiscriminate surveillance of Europeans”.
While this appears to be good news both for businesses and private individuals, it will take some time for the details to be worked out, and will require a formal “adequacy decision” from the EU Commission. So it is still a case of “wait and see”.