From Safe Harbor to the 'Privacy Shield': US data exports revisited
On 2 December the EU Commission announced the basis for an agreement with US authorities on a replacement for Safe Harbor, to be known as the 'EU-US Privacy Shield'.
The Safe Harbor framework had previously been used by thousands of organisations to enable the transfer of personal data to the US. However, in October 2015 the European Court of Justice decided in the Schrems case that Safe Harbor did not provide adequate protection of personal data, and therefore could not be solely relied upon in order to comply with the eighth data protection principle.
Given the importance of transatlantic data flows, EU Data protection regulators announced a period of grace up to 31 January to allow the EU and US authorities to negotiate a potential successor to Safe Harbor. A deal now appears to have been struck, although we don't yet know the full details of the new Privacy Shield or exactly how it will differ from the Safe Harbor framework. It also isn't clear whether Safe Harbor-certified US companies will automatically be transitioned to the new Privacy Shield, or whether they will need to undergo additional certification.
Whilst the announcement of an agreement is potentially good news for organisations that export personal data to the US, it is unlikely to prove a panacea (at least in the short term). The Article 29 Working Party, the umbrella body for EU data protection regulators, has cautiously welcomed the announcement , and will be analysing the agreement once further details are known. It is by no means certain that the Article 29 Working Party will approve the Privacy Shield arrangements, and in any case privacy campaigners have already signalled their intention to challenge the Privacy Shield through the courts.
For the moment, data exporters should continue to rely on alternative methods, such as approved model clauses or binding corporate rules, to legitimise the transfer of personal data to the US.