A large company with offices in Europe and the United States had self-certified to adhere to the EU-US Safe Harbor framework and had been relying on it for the company's intra-company transfers of datauntil the Court of Justice of the European Union (CJEU) struck down the framework last year. While the US government and the EU Commission proposed a new framework with stronger privacy protectionsthe EU-US Privacy Shieldto replace the invalidated Safe Harbor framework, the EU's Article 29 Working Party recently issued an opinion disapproving the Privacy Shield. The company's general counsel is not sure what the company will need to do to transfer data from the EU to the US now that the Safe Harbor framework has been invalidated and approval of the Privacy Shield has been put in doubt.
In October 2015, the CJEU held that transfers of personal data from the European Union to the United States under the Safe Harbor framework were invalid, as those transfers did not ensure an adequate level of protection under European data protection law. In the aftermath of that decision, the EU Commission and the US government negotiated the Privacy Shield to improve the Safe Harbor framework and address the CJEU's concerns. A draft of the Privacy Shield was released in March 2016, and the Article 29 Working Party (a representative body of the EU data protection officers) then reviewed the Privacy Shield to see if it provided a level of protection equivalent to the EU Data Protection Directive and would protect the EU fundamental rights to private life and data protection. On April 13, 2016, the Working Party rejected portions of the Privacy Shield.
Overview of Opinion
While acknowledging that the Privacy Shield had made "significant improvements" to the Safe Harbor framework, the Working Party expressed strong concerns over whether the Privacy Shield would ensure a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed in the EU. In addition, some key data protection principles outlined in the EU Data Protection Directive were either not addressed or were inadequately substituted in the Privacy Shield.
Some of the Working Party's key concerns included:
US surveillance law is not sufficiently clear or precise, and further clarification of important limitations on intelligence collection is needed. The national security exceptions to the Privacy Shield may not be permissible, depending on...