1 London Street,
+44 (0)118 951 6200
A fundamental part of EU data protection law is a prohibition against personal data being transferred to places that do not offer sufficient privacy protections. The “safe harbour” agreement had for over 15 years helped ensure that EU to US data transfers did not fall foul of this basic rule - by allowing US companies to self-certify that the information sent to their data centres would be protected.
All that changed in October 2015 when, in a case brought by privacy activist Max Schrems against Facebook, the European Court of Justice found safe harbour to be invalid as it failed to adequately protect European citizens’ data - for example in the wake of the Edward Snowden disclosures there was concern that personal data of EU citizens held on servers located in the USA might be accessed by the US authorities.
The ensuing hiatus has created considerable uncertainty as to how to ensure EU to US data transfers do not breach EU law. The fall-back position has been to rely on the EU “model clauses” or to use binding corporate rules (BCR).
The first step in a new solution for EU/US data transfers has now been taken. Last month the European Commission and the US reached a political agreement for transatlantic exchanges of personal data for commercial purposes: the new EU/US privacy shield. At this stage it is simply an agreement between the EU and the US and is yet to be adopted into law. It is presently being scrutinised by the Article 29 Working Party (WP29), which is a group of European data protection authorities including the UK’s Information Commissioner’s Office.
The outcome of this process is keenly awaited: How will US organisations react to the proposals? Will they willingly allow EU privacy regulators to police compliance with the new rules? Privacy activists (including Max Schrems) have already taken to the internet, indicating that they will challenge the new regime at the ECJ if the privacy shield does not represent a substantial improvement over safe harbour.
So what are the differences between safe harbour and the privacy shield?
However, critics have pointed out that the privacy shield agreement will only be as effective as its implementation and it is likely that the implementation process will take some considerable time. So it is still early days and much uncertainty still remains.
We will continue to monitor progress but in the meantime EU companies planning to transfer personal data to the US should seek advice as to the appropriate mechanisms for ensuring they do not breach current data protection law - not least because the WP29 has said that it will continue to assess other tools (such as the “model clauses” and BCR), suggesting that the even these may be themselves be subject to review.