Privacy Shield replaces Safe Harbor (or does it?)

In February 2016, the European Commission and the United States agreed on a new framework to permit transatlantic transfers of personal data and replace ‘Safe Harbor’. It’s called ‘Privacy Shield’.

Privacy Shield aims to comply with the requirements the European Court of Justice outlined when it declared Safe Harbor invalid in October 2015. The key aspects are:

  • Provides mechanisms for greater oversight and enforcement by the U.S. Department of Commerce and the Federal Trade Commission
  • Places more stringent obligations on U.S. companies to protect EU citizens’ personal data and
  • Provides an opportunity for EU citizens to complain via a new ombudsperson.

WHAT IS THE STATUS OF THE NEW EU-US PRIVACY SHIELD?

Privacy Shield is not a ‘done deal’. The European Parliament has made it clear that it has concerns about how the arrangement would work in practice. 

Ominously, the working party of data protection authorities (WP29) has issued a statement to the effect that it still does not view US government surveillance laws as sufficiently protective of privacy, (which calls all transfers of personal data to the US in question, regardless of the methods used to transfer), but they will reconsider this position in light of the Privacy Shield in the coming months.

IF YOU ARE TRANSFERRING DATA TO THE US, WHAT SHOULD YOU BE DOING?

 EU-US data transfers on the basis of Safe Harbor are technically illegal.   This means that companies that have continued to rely on Safe Harbor to validate data transfers to the US could be at risk of enforcement action.

 Model clauses and binding corporate rules may or may not be valid transfer mechanisms (see above).

WHICH MEANS? 

Privacy Shield will still face hurdles in being implemented. Unfortunately, the uncertainty of the validity of transatlantic transfers of personal data will continue for at least about another two months. 

In the meantime, from an enforcement perspective, the Working Party has also confirmed that EU data protection authorities will deal with related cases and complaints on a case-by-case basis.

Leave a Reply

Your email address will not be published. Required fields are marked *