EU-US Privacy Shield for transatlantic data transfers finalized

Kathleen Porter
Robinson+Cole Data Privacy + Security Insider
Contact
LinkedIn
Facebook
X
Send
Embed

[co-author: Peter Wainman - Mills & Reeve LLP]

Transfers of personal data from most European countries to the US have been exposed to legal attack since October 2015, when privacy campaigner Max Schrems successfully sued the Irish authorities over data transfers made by Facebook Ireland.  The main objection with the Safe Harbor was that transferring EU citizens’ data to the U.S. subjected the data to the U.S. government’s bulk surveillance.

That David-and-Goliath litigation saw the end of the “Safe Harbor” decision protecting transatlantic data flows when the European courts declared it invalid. While other legal methods of data transfer are available, the Safe Harbor was widely relied on especially by technology businesses.

A new Privacy Shield

Since then, the EU and US authorities have been working on a replacement – the EU-US “Privacy Shield.” After a first attempt was rejected by national and EU regulators, a tightened-up version has now passed the test. The U.S. Department of Commerce has a useful fact sheet and a guide to certification available on its website. Likewise, the European Commission’s press release and FAQs document provide a helpful summary.

The revised version of the Privacy Shield consists of: an adequacy decision describing the system of self-certification through which US organizations commit themselves to a set of privacy principles; and a set of seven Annexes dealing with the arrangements that the US authorities will implement to safeguard EU citizens’ data.

US companies will be able to self-certify with the U.S. Department of Commerce beginning on August 1. There will be an annual joint review process to check that the system is working.

Certainty offered by agreement of the Privacy Shield has been widely welcomed. The Privacy Shield requires the creation of a new U.S. authority intended to address concerns of EU citizens about U.S. government surveillance.   However, this may not be the end of the story. Max Schrems, the activist responsible for the demise of its predecessor,  has told journalists that Privacy Shield is full of holes, and as such is likely to fail a legal challenge – although he does not want to be the one to bring it.

What does this mean for the UK?

The UK privacy regulator, the ICO, has indicated that it will press for UK laws to track those of the EU.

It may be that the UK will adopt most of the changes due to take effect in 2018 under the  GDPR, but leave out some of the more onerous obligations that could impede the activity of SMEs for example. If the UK ends up with a relatively distant relationship with the EU compared to an EEA member like Norway, privacy laws could diverge. In that case, the UK will have to demonstrate adequacy of protection for European citizens’ privacy, like the US has done, if it is to do business freely across Europe.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Robinson+Cole Data Privacy + Security Insider | Attorney Advertising

Written by:

Robinson+Cole Data Privacy + Security Insider
Robinson+Cole Data Privacy + Security Insider
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Robinson+Cole Data Privacy + Security Insider on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide