Data sharing with the US: A Privacy Shield update

The EU and US have been working together to prepare an adequate replacement to the Safe Harbour regime.

09/06/2016

Jonathan Moore

Jonathan Moore

Associate

There is still no sustainable legal framework in place which allows the commercial transfer of personal data from the EU to the United States. Until October last year, it was understood that if a US based company signed up to the "Safe Harbour" regime (which involved that company self-certifying that it would comply with the Safe Harbour rules), a European company could transfer personal data to that US company in compliance with EU data protection law. Last October, the European Court of Justice determined that the Safe Harbour regime was inadequate and it did not enable European companies to comply with their data protection obligations.

Following the ECJ's decision, there has been significant uncertainty in relation to the legality of sharing personal data between Europe and the US. To remedy the uncertainty, the EU and US have been working together to prepare an adequate replacement to the Safe Harbour regime. In February it was announced that the proposal for the new regime is the "Privacy Shield". Whilst the Privacy Shield appears to be a step-up from the Safe Harbour regime, many within the EU consider that it is still inadequate to comply with European data protection law. 

The fundamental problem appears to be the different approaches to data protection by Europe and the US. The EU considers itself to be the world leader in protecting its citizens' right to privacy. This belief is not unjustified, particularly in light of the General Data Protection Regulation which comes into force across the EU in May 2018 and gives EU citizens even better protection and control over their personal data. On the other hand, the US has adopted the view that maintaining the country's security justifies a significantly greater invasion of the privacy of individuals than is permissible in Europe (even before the GDPR comes into force). The US's approach to protecting privacy is therefore difficult to square with the approach taken by  the EU. 

The latest step in the evolution of the Privacy Shield has come in the form of a report by the European Data Protection Supervisor. The EDPS is independent of the EU but advises its institutions on data protection issues and its report sets out its concerns regarding the current draft of the Privacy Shield. In a nutshell, the Shield does not provide individuals with any judicial redress in the event that their personal data is misused and the EU needs further reassurances from the US that it will only access the personal data which has been transferred if it is necessary and proportionate (as opposed to allowing US authorities routine access to the personal data). 

Whilst the Privacy Shield is an improvement on the Safe Harbour regime, it appears that significant hurdles remain before a final version can be agreed. 

Until the Privacy Shield is in place, organisations may still be able to transfer personal data to the US but it will need to use either Standard Contractual Clauses or binding corporate rules until further guidance is published by the EU.

Related Insights

Authority Update 27/4/18

by Claire Booth

Brief details of recent policy and legal developments relevant to those involved in local government work

Authority Update 13/4/18

by Claire Booth

Brief details of recent policy and legal developments relevant to those in the local government sector

Health and Social Care Update - April 2018

by Claire Bentley

Policy and law relevant to those involved in health and social care work.

Authority Update 30/3/18

by Claire Booth

Brief details of recent legal and policy developments relevant to those involved in the local government sector

Authority Update 16/3/18

by Claire Booth

Brief details of recent Government policy and legal developments relevant to those involved in local government work

Health and Social Care Update - March 2018

by Claire Bentley

Policy and law relevant to those involved in health and social care work.

Keep up to date With Bevan Brittan

What interests you?

About you?

You can view our privacy policy here