09/06/2016
There is still no sustainable legal framework in place which allows the commercial transfer of personal data from the EU to the United States. Until October last year, it was understood that if a US based company signed up to the "Safe Harbour" regime (which involved that company self-certifying that it would comply with the Safe Harbour rules), a European company could transfer personal data to that US company in compliance with EU data protection law. Last October, the European Court of Justice determined that the Safe Harbour regime was inadequate and it did not enable European companies to comply with their data protection obligations.
Following the ECJ's decision, there has been significant uncertainty in relation to the legality of sharing personal data between Europe and the US. To remedy the uncertainty, the EU and US have been working together to prepare an adequate replacement to the Safe Harbour regime. In February it was announced that the proposal for the new regime is the "Privacy Shield". Whilst the Privacy Shield appears to be a step-up from the Safe Harbour regime, many within the EU consider that it is still inadequate to comply with European data protection law.
The fundamental problem appears to be the different approaches to data protection by Europe and the US. The EU considers itself to be the world leader in protecting its citizens' right to privacy. This belief is not unjustified, particularly in light of the General Data Protection Regulation which comes into force across the EU in May 2018 and gives EU citizens even better protection and control over their personal data. On the other hand, the US has adopted the view that maintaining the country's security justifies a significantly greater invasion of the privacy of individuals than is permissible in Europe (even before the GDPR comes into force). The US's approach to protecting privacy is therefore difficult to square with the approach taken by the EU.
The latest step in the evolution of the Privacy Shield has come in the form of a report by the European Data Protection Supervisor. The EDPS is independent of the EU but advises its institutions on data protection issues and its report sets out its concerns regarding the current draft of the Privacy Shield. In a nutshell, the Shield does not provide individuals with any judicial redress in the event that their personal data is misused and the EU needs further reassurances from the US that it will only access the personal data which has been transferred if it is necessary and proportionate (as opposed to allowing US authorities routine access to the personal data).
Whilst the Privacy Shield is an improvement on the Safe Harbour regime, it appears that significant hurdles remain before a final version can be agreed.
Until the Privacy Shield is in place, organisations may still be able to transfer personal data to the US but it will need to use either Standard Contractual Clauses or binding corporate rules until further guidance is published by the EU.