Data Protection: EU-US Privacy Shield Update

Author:Mr Paul Herbert
Profession:Goodman Derrick LLP


This article provides an update on the new EU-US Privacy Shield agreement (click here for our earlier piece on this subject) as well as a summary of the EU General Data Protection Regulation.

To recap, in October 2015 the Court of Justice of the European Union ("CJEU") declared the EU-US Safe Harbour agreement invalid. This ended, albeit temporarily, a 15 year old agreement whereby American companies could self-certify that they had sufficient procedures in place to ensure that any data transferred to them from within the EEA would have the benefit of 'adequate protections'. This, it was hoped, would ensure that the fundamental rights of EU citizens were not breached. In return, the self-certifying American companies would be protected from claims against them from data subjects in the EU that their personal data was not being adequately protected when transferred to the US.

The CJEU cited two main areas of concern, the first being over US government access to personal data and the second being the lack of judicial redress available to EU citizens for breaches.

The New Ruling

In February 2016, a new agreement was reached between the EU and US. The EU-US Privacy Shield. Whether or not this new agreement is effectively a 'Safe Harbour MKII' or an entirely new agreement has been a matter for debate.

Who Should Take Note?

Any company, whether situated in the EU or US, which handles EU citizen's data or transfers that data between the EU and US. Online companies in particular should take note, especially those which are 'cloud-based'.

What are the Changes?

The new EU-US Privacy Shield agreement aims to ensure that standards of protection given to EU citizens' personal data in the US, is the same as that in Europe. It seeks to achieve this by:

  1. Imposing strong obligations on US companies who process the data of EU citizens and making compliance with European Data Protection Authorities' decisions mandatory.

  2. Arranging for the US Department of Commerce to monitor US companies' data protection obligations and making these obligations enforceable under US law.

  3. Requiring written assurances from the US Government that it will end indiscriminate mass surveillance of EU personal data and that its access to EU personal data will be subject to clear limitations. To monitor this there will be an annual joint review between the European Commission and the US Department of Commerce.

  4. Ensuring greater access to redress for EU citizens over...

To continue reading