While EU regulators determine whether to adopt a new agreement for transfers of personal data from Europe to the United States to replace the invalid EU-U.S. Safe Harbor Framework, German data protection authorities have not been idly twiddling their thumbs.
Hamburg’s data protection commissioner, the head of one of 16 Federal German data protection authorities (“DPA”), announced in February that his agency is investigating Hamburg-based subsidiaries of large U.S. companies engaging in transfers of personal data of EU citizens to the U.S.
Bad news for companies relying on transatlantic data flows as, once again, the transfer of personal data from Europe to the United States is called into question by the Article 29 Working Party (the “Working Party”), an influential committee of the EU privacy regulators. Ever since the EU-U.S. Safe Harbor Framework was declared invalid by the Court of Justice of the European Union in October 2015, companies have had to find alternative ways to legally transfer personal data. On 29 February 2016, the EU Commission proposed the “EU-U.S. Privacy Shield” as a replacement to the Safe Harbor Framework and a potential solution.
On 29 February 2016 the European Commission issued the legal texts of the EU-U.S Privacy Shield which aims to replace the defunct EU-U.S Safe Harbor Framework as a legitimate mechanism for transferring personal data from the EU to the U.S.
In contrast to its predecessor, the Privacy Shield contains commitments from US government in relation to controls on access to personal data by public authorities. This is an aspect of the new scheme which aims to address the jurisprudence of the Court of Justice of the European Union and criticisms of the previous Safe Harbor Framework.