The EU-US Privacy Shield: The New Data Protection Deal

Author:Mr Richard Field, Huw Thomas, Ben Mays, Nick Bullmore, Mark Dunster, Clinton Hempel, Linda Lee, Siobhan Riley, Alistair Russell and Elizabeth Killeen
Profession:Carey Olsen

The (Un)Safe Harbor and Schrems

As explained in detail in our article from October 2015, the Court of Justice of the European Union declared in its judgment in the case of Schrems v Facebook that the EU-US Safe Harbor agreement (Safe Harbor) was invalid. This meant that data transfers between European Union Member States and the United States which were taking place under Safe Harbor, were no longer lawful.

The decision was primarily based on the ability of the US authorities to access personal data transferred from the Member States to the United States and process it in a way incompatible with the purposes for which it was transferred and beyond what was strictly necessary and proportionate for the protection of national security.

Notwithstanding this decision, the European Commission made it clear that there were alternative ways in which lawful transfers could be made - including the use of Binding Corporate Rules (BCRs), Standard Contractual Clauses (SCCs) or by consent. However, Safe Harbor could no longer be relied upon.

Since then, steps have been taken to agree a replacement for the Safe Harbor scheme.

The Article 29 Working Party's deadline of 31 January 2016

The EU's Article 29 Working Party (the Working Party), comprising the national data protection authorities of EU Member States, the European Data Protection Supervisor and the European Commission, set a deadline of 31 January 2016 for a new agreement to be reached to replace Safe Harbor, which had been in operation since 2000.

The Working Party stated that any new deal needed to address the issue of "massive and indiscriminate surveillance" that was taking place in the US. The deal should therefore include obligations in relation to the necessary oversight of access by public authorities, transparency, proportionality, redress mechanisms and clarify the data protection rights of individuals.

The new deal: the EU-US Privacy Shield

Although the original deadline of 31 January 2016 was not met, a new political deal in the form of the EU-US Privacy Shield (the Privacy Shield) was announced by the European Commission on 2 February 2016. Details of the new scheme have yet to be announced and there remains a high degree of uncertainty about its terms.

The Privacy Shield includes the following key elements:

Stronger obligations on US companies to protect the personal data of EU citizens, including how personal data are processed and the individual rights of EU citizens being...

To continue reading