The European Commission has adopted a new legal arrangement for organizations transferring personal data from the European Union to the United States for storage and processing. The arrangement, known as the ‘Privacy Shield’, replaces the US-EU Safe Harbor program which was invalidated by the Court of Justice of the European Union in October 2015. The Privacy Shield is thus expected to lift a major obstacle introduced into the trans-Atlantic information economy in the past year.
The Privacy Shield is intended only for U.S. companies and is based on the self-certification of subscribing companies. Companies must undertake elevated privacy and data protection practices corresponding with the EU’s rules on data protection. U.S. companies can self-certify to the Privacy Shield from August 1, 2016.
The importance of Privacy Shield stems from applicable EU law, under which personal data collected in the EU may be transferred to countries outside the EU only under special arrangements aimed to ensure that such data is given adequate protection. The data protection and privacy regimes in the EU and the US are radically different. To bridge these gaps, the European Commission and the United States government created the Privacy Shield, which lays down a legal framework for permissible cross-border transfer of personal data from the EU to the U.S.
The Privacy Shield directly impacts Israel and Israeli companies as well. Under Israeli regulations, cross-border transfer of personal data is permissible when made to countries that receive data from the EU under the EU’s applicable terms of transferring data to them. During the Safe Harbor era, the Israeli privacy regulator (Israeli Law, Information and Technology Authority – ILITA) interpreted these regulations as permitting cross-border transfer of personal data from Israel to U.S. companies certified to Safe Harbor. When the Safe Harbor was struck-down ILITA issued guidance clarifying that Safe Harbor can no longer be used as a legal basis for transferring personal data from Israel to the U.S. With the adoption of Privacy Shield, we expect ILITA to retake its position that views this mechanism as a legal basis for transferring personal data to the U.S.
Cloud service providers such as Amazon, Google and Microsoft are expected to subscribe to the Privacy Shield, just as they did in the past with Safe Harbor. This would help Israeli and non-Israeli companies to comply with the European laws applicable to the transfer of personal data to the cloud providers’ U.S. data centers for storage and processing.