As of, August 1st, 2016, U.S. companies can now join the Safe Harbor successor EU-U.S. Privacy Shield (the “Privacy Shield”) for personal data transfers from the EU to the U.S.
This post gives a high level summary of what companies should consider with the Privacy Shield.
On July 12, 2016, the European Commission (the “Commission”) formally adopted the adequacy decision necessary to implement the Privacy Shield. This means that transfers of personal data from the EU to the U.S. that are made pursuant to the Privacy Shield’s requirements are lawful under EU law. The Privacy Shield replaces the EU-U.S. Safe Harbor Framework, which was invalidated by the Court of Justice of the European Union (“CJEU”) on October 6, 2015.
After receiving the approval of the EU Member States, through the Article 31 Committee, last Friday, the European Commission has today, July 12th, 2016, formally adopted the Adequacy Decision necessary to implement the EU-U.S. Privacy Shield (the Decision).
The Decision will be notified to Member States today and, as such, will be effective immediately.
The adoption process had stalled in recent months due to ongoing concerns about the access to personal data by public authorities in the U.S. You can read about some of these concerns in our previous blog post.
The European Commission has received further commitments from the U.S. and has agreed clarifications and improvements on the bulk collection of data, strengthening the Ombudsperson mechanism and more explicit obligations on companies as regards limits on retention and onward transfers. Those commitments and clarifications have been sufficient to allay the EU member states, at least for now.
The Privacy Shield is subject to an annual review mechanism.
On 29 February 2016 the European Commission issued the legal texts of the EU-U.S Privacy Shield which aims to replace the defunct EU-U.S Safe Harbor Framework as a legitimate mechanism for transferring personal data from the EU to the U.S.
In contrast to its predecessor, the Privacy Shield contains commitments from US government in relation to controls on access to personal data by public authorities. This is an aspect of the new scheme which aims to address the jurisprudence of the Court of Justice of the European Union and criticisms of the previous Safe Harbor Framework.
The European Commission has announced that it has reached a deal to replace the EU-US Safe Harbor framework that was declared invalid last year by the Court of Justice of the European Union (“ECJ”). Heralded as the EU-US Privacy Shield (and colloquially referred to as, “Safe Harbor 2.0”), the framework should provide companies with clearer direction on safe transatlantic data transfer.
The shockwaves continue from the October 6, 2015 ruling of the Court of Justice of the European Union (CJEU), the European Union’s highest court, invalidating the U.S.-EU “Safe Harbor” data transfer regime in a controversy arising out of Maximillian Schrems’ complaint to the Irish Data Protection Commissioner. The Schrems decision obviously has huge privacy implications for companies that transferred data under the Safe Harbor regime, but it may also impact such companies’ cyber insurance.
Yesterday, German federal and state (Länder) data protection authorities (“DPAs”) issued a Position Paper following the recent Court of Justice of the European Union (“CJEU”) ruling that struck down the EU-US Safe Harbor Framework. Read an unofficial translation of the German Position Paper here.
Unfortunately, the Position Paper does little to relieve the pressure many organisations are now facing in relation to their cross-Atlantic data transfer mechanisms, particularly those used to transfer data from Germany to the United States. READ MORE