09/06/2016

There is still no sustainable legal framework in place which allows the commercial transfer of personal data from the EU to the United States. Until October last year, it was understood that if a US based company signed up to the "Safe Harbour" regime (which involved that company self-certifying that it would comply with the Safe Harbour rules), a European company could transfer personal data to that US company in compliance with EU data protection law. Last October, the European Court of Justice determined that the Safe Harbour regime was inadequate and it did not enable European companies to comply with their data protection obligations.

Following the ECJ's decision, there has been significant uncertainty in relation to the legality of sharing personal data between Europe and the US. To remedy the uncertainty, the EU and US have been working together to prepare an adequate replacement to the Safe Harbour regime. In February it was announced that the proposal for the new regime is the "Privacy Shield". Whilst the Privacy Shield appears to be a step-up from the Safe Harbour regime, many within the EU consider that it is still inadequate to comply with European data protection law. 

The fundamental problem appears to be the different approaches to data protection by Europe and the US. The EU considers itself to be the world leader in protecting its citizens' right to privacy. This belief is not unjustified, particularly in light of the General Data Protection Regulation which comes into force across the EU in May 2018 and gives EU citizens even better protection and control over their personal data. On the other hand, the US has adopted the view that maintaining the country's security justifies a significantly greater invasion of the privacy of individuals than is permissible in Europe (even before the GDPR comes into force). The US's approach to protecting privacy is therefore difficult to square with the approach taken by  the EU. 

The latest step in the evolution of the Privacy Shield has come in the form of a report by the European Data Protection Supervisor. The EDPS is independent of the EU but advises its institutions on data protection issues and its report sets out its concerns regarding the current draft of the Privacy Shield. In a nutshell, the Shield does not provide individuals with any judicial redress in the event that their personal data is misused and the EU needs further reassurances from the US that it will only access the personal data which has been transferred if it is necessary and proportionate (as opposed to allowing US authorities routine access to the personal data). 

Whilst the Privacy Shield is an improvement on the Safe Harbour regime, it appears that significant hurdles remain before a final version can be agreed. 

Until the Privacy Shield is in place, organisations may still be able to transfer personal data to the US but it will need to use either Standard Contractual Clauses or binding corporate rules until further guidance is published by the EU.

Our use of cookies

We use necessary cookies to make our site work. We'd also like to set optional analytics cookies to help us improve it. We won't set optional cookies unless you enable them. Using this tool will set a cookie on your device to remember your preferences. For more detailed information about the cookies we use, see our Cookies page.

Necessary cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytics cookies

We'd like to set Google Analytics cookies to help us to improve our website by collection and reporting information on how you use it. The cookies collect information in a way that does not directly identify anyone.
For more information on how these cookies work, please see our Cookies page.