As noted by many commentators at the time, following the 6 October 2015 ruling of the European Court of Justice (ECJ) in Case C-362/14 Maximillian Schrems v. Data Protection Commissioner, the main tool used within the European Union to (legitimately) transfer personal data to the United States, the so-called Safe Harbor regime, had practically ceased to exist. As regards Italy particularly, a few days after the ruling in question, the Garante della Privacy (the Italian Data Protection Authority) hastily decreed the revocation of its 2001 decision sanctioning the European Commission’s decision on the Safe Harbor agreement; thus, for all intents and purposes taking the Safe Harbor scheme out of the picture as far as the Italian jurisdiction was concerned.
It was a legislative void of no small relevance for many Italian subsidiaries of US multinationals, which typically export to their US parent company employees’ and/or customers’ personal data, or, for that matter, for all companies placing personal data in the “cloud”, with servers located in the United States. All these businesses had to resort to alternative, less practical methods in order to continue exporting such data without running the risk of being found in breach of the law.
Meanwhile, the European Union Commission and the US authorities worked out a solution by signing the so-called “EU-U.S. Privacy Shield”, a new set of principles that ensure an adequate level of protection for personal data transferred from the EU to the USA, ratified by the European Commission decision no. 2016/1250 of 12 July 2016.
The last piece of the puzzle from an Italian perspective was the Garante’s official endorsement of that decision. That has finally arrived with the Garante’s resolution no. 436 of 27 October 2016, published in Italy’s Official Journal on 22 November 2016.
Companies subject to the Italian jurisdiction will now be able to transfer personal data to US-based organisations that commit or will commit to complying with the “Privacy Shield” principles.
The Garante has however reserved the right to review compliance with the law of any export of personal data and to adopt further measures as necessary.