EU And US Agree Scheme To Replace Safe Harbor: EU - US Privacy Shield

Author:Mr Charles-Albert Helleputte, Guido Zeppenfeld, Mark A. Prinsley, Oliver Yaros and Kendall C. Burman
Profession:Mayer Brown

Keywords: EU, US, safe harbor, privacy,

In October 2015, the Court of Justice of the European Union ("CJEU") held that transfers of personal data from Europe to the United States made under the so-called US Safe Harbor scheme were invalid as those transfers did not ensure an adequate level of protection under European data protection law.

In the aftermath of that decision, the Article 29 Working Party, the organisation that represents the data protection authorities of the European Union, set 31 January 2016 as the deadline by which the representatives of the European Union and the United States had to find solutions to address the significant risks identified by the CJEU with respect to the transfer of personal data to the United States. At the time, the Article 29 Working Party made it clear that if no appropriate solution was reached with the United States by the deadline, European data protection authorities were committed to take all necessary and appropriate actions, which might include taking coordinated enforcement action. That deadline has now expired.

On 2 February 2016, the European Commission announced that it had reached a high level agreement on a series of measures with the United States to resolve the issues identified in the CJEU's ruling. These are as follows:

The Safe Harbor scheme will be replaced by a scheme called "EU - US Privacy Shield" which will be administered by the US Department of Commerce. European and United States representatives will confirm the process and timing for the transition from the Safe Harbor to the EU - US Privacy Shield scheme in due course. By joining the EU - US Privacy Shield scheme, an organisation will be able to import personal data from Europe into the US provided that organisation publicly commits to the manner in which and the purposes for which it will process personal data in the US and agrees to comply with enhanced requirements about the manner in which personal data will be processed by it. Existing restrictions concerning onward transmission of personal data from the US to other countries will be tightened. Each organisation that certifies that it complies with the EU - US Privacy Shield scheme will have its compliance with the scheme monitored and reviewed by the US Department of Commerce. If an organisation is found to have not complied with its commitments, sanctions will be applied against that organisation by the US Federal Trade Commission and it may be removed from the...

To continue reading