The European Commission, as of the 12 July, has formally
adopted a new framework for transferring data between the European
Union (EU) and the United States (US) – the EU-US
Privacy Shield – eight months after the landmark
decision in the case of Schrems v Irish Data Protection
Commissioner ruled the Safe Harbor mechanism as invalid.
What was Safe Harbor?
Safe Harbor was the agreed standard companies were required to
meet in order to adequately protect data which was transferred from
Europe to the USA. The Schrems case declared that the Safe Harbor
mechanism was not an adequate means of transferring transatlantic
data and did not provide sufficient protection to European
citizens' personal data, thus the mechanism was invalid.
Safe Harbor was relied on by a large number of US companies,
thus since the Schrems decision, the European Commission and the US
authorities have been working to find an alternative to Safe
Harbor. Welcome the EU-US Privacy Shield!
What is the EU-US Privacy Shield?
The new framework is intended to provide robust protection for
European citizens whose data is being transferred to the US and
places a number of safeguards on the US authorities regarding their
access to the personal data of Europeans to ensure their data is
It has been difficult to align the views of the EU and the US on
privacy which is why it has taken from October last year until now
to formalise an agreement.
In February, the European Commission published the legal texts
which were scrutinised by the Article 29 Working Party (consisting
of EU member states data protection regulators) and the European
Parliament. Notably, when the Article 29 Working Party released
their review of the framework back in April they were highly
critical of the draft voicing concern over the "massive and
indiscriminate" bulk collection of data by the US authorities
and the independence of the US ombudsman.
(For further information on the Working Party's concerns see
our previous blog 'When is a shield not a
After weeks of discussions back and forth between negotiators
for the EU and the US an agreement has finally been reached, taking
into account the criticisms of the Article 29 Working Party. Vera
Jourova, the European Commissioner for Justice has announced that
the new EU-US Privacy Shield "brings stronger data protection
standards" which will "restore the trust of consumers
when their data is transferred across the Atlantic."
The new Privacy Shield has gone further in protecting the
individual rights of data subjects by imposing stronger rules
regarding US mass surveillance, increasing the independence of the
US ombudsman from US national authorities and imposing clear
safeguards on the protection of EU citizen's data from US
What happens next?
As with Safe Harbor, US companies will have to self-certify
under the Privacy Shield regime which they will be able to do from
the 1st of August. Companies should begin to assess how the
implementation of the new EU-US Privacy Shield will affect their
Comments have already been made as to whether the new Privacy
Shield will in fact provide adequate protection in EU-US data
transfers. Therefore, it probably will not be long before the
Privacy Shield, like Safe Harbor, is challenged in court. Watch
The material contained in this article is of the nature of
general comment only and does not give advice on any particular
matter. Recipients should not act on the basis of the information
in this e-update without taking appropriate professional advice
upon their own particular circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The fourth and final part of our mini-series on the draft ICO guidance on Consent, published on 2 March 2017, focuses on the practical impact the GDPR (General Data Protection Regulation) will have on how your organisation records and manages consent.
In light of the much anticipated ICO draft GDPR (the General Data Protection Regulation) Consent Guidance being published yesterday, 2 March 2017, we will be running a mini-series on the guidelines under consultation and the impact the GDPR will have on the much vexed position of consent and the impact on your business.
The first of our four discussions on the ICO guidelines for Consent will focus on the meaning of consent under the GDPR (General Data Protection Regulation) and how this change enhances the previous law on consent to data processing.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).