1. Background – invalidation of “Safe Harbour”

In October 2015, we reported on the invalidation by the European Court of Justice (the “CJEU”) of the “Safe Harbour” regime for personal data exports from the EU to the US.

The CJEU ruled that the Safe Harbour regime failed to provide sufficient guarantees to ensure adequate data protection where US law allows access to personal data transferred by European undertakings to their US parent company by the NSA and other US security agencies in the course of a mass and indiscriminate surveillance and interception of such data, without any effective judicial protection for EU citizens.

As a result, many companies operating internationally had to either stop sending personal data collected in the EU to the US, or to implement an alternative legal basis to legitimize their data exports.

On 31 January 2016, the grace period for companies to implement such alternative legal basis expired.  As from 1 February 2016 national data protection authorities would start pursuing infringements.

2. “Privacy Shield” to replace “Safe Harbour”

After several months of high level political negotiations, the European Commission finally announced on 2 February 2016 that it had agreed with the US government to replace the Safe Harbour regime by a so-called “Privacy Shield”.  

According to the European Commission, the EU-US “Privacy Shield” takes into account the requirements set out by the CJEU in its ruling on 6 October 2015. The new framework for transatlantic data flows aims to protect the fundamental rights of European citizens whose data are transferred to the US, and to ensure legal certainty for businesses operating internationally.

The “Privacy Shield” will:

  • Impose stronger obligations on US companies to protect personal data collected in the EU (US companies wishing to import personal data from the EU will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed);
  • Ensure stronger monitoring and enforcement by the US Department of Commerce and Federal Trade Commission;
  • Result in increased cooperation between US and European data protection authorities (including an annual joint review of the “Privacy Shield”);
  • Provide for commitments by the US that access to personal data by public authorities will be subject to clear conditions, limitations and oversight, preventing generalised access; and
  • Lead to the creation of a dedicated Ombudsman in the US legal order, allowing European data subjects to raise enquiries or to file complaints (free of charge).

3. Are EU-US data flows now “safe” again?

Today, the “Privacy Shield” is a ‘mere’ political agreement that still has to be formalised in writing.  Also the Article 29 Working Party’s advice has to be obtained before finalising the text. In the meantime, the US will make the necessary preparations to put in place the new framework, monitoring mechanisms and new Ombudsman.

Whether the “Privacy Shield” will pass the CJEU’s adequacy test (which the Safe Harbour failed) still remains to be seen.

The “Privacy Shield” already has many critics, among which MEP’s Jan Albrecht and Sophie in ‘t Veld, and “data protection activist” Maximilian Schrems (who filed the complaint that led to the invalidation of the Safe Harbour).

At least for now, the saga – and legal uncertainty – continues…