Transfers Of Personal Data To The US The Privacy Shield Is Approved
In the autumn of 2015 the Safe Harbor regime under which personal data could be transferred to certain companies in the USA was ruled invalid. The withdrawal of this regime has caused headaches for businesses in the EU as, under EU law, personal data must only be transferred to countries outside of the EEA if the destination country has, what is deemed by the EU to be, an adequate level of data protection. The US does not have that recognition.
A new framework for the transfer of personal data from the EU to the US has now been adopted. This is known as the Privacy Shield.
The Privacy Shield is a self-certification system. Companies wishing to participate must be subject to the investigatory and enforcement powers of the Federal Trade Commission, the Department of Transport or another US statutory body and must also satisfy a number of other conditions.
Companies that previously were registered under the Safe Harbor Scheme will not automatically transfer to the Privacy Shield. It therefore follows that if an EU business was in the habit of dealing with any US business under Safe Harbor it must now verify that US business now participates in the Privacy Shield. Alternatively, it must adopt another system to deal with the export of personal data such as model contract clauses or binding corporate rules. Companies participating in the Privacy Shield must include links on their websites to the US Department of Commerce website, the Privacy Shield list and the website of an independent recourse mechanism with which they have registered.
Looking to the future expert opinion is of the view that the Privacy Shield is likely to be challenged in the courts in the same way that Safe Harbor was. Max Schrems, the Austrian privacy campaigner who challenged the Safe Harbor regime, has commented that the Privacy Shield “is little more than a little upgrade to Safe Harbor, but not a new deal. It is likely to fail again, as soon as it reaches the CJEU” and that “as long as far-reaching US surveillance laws apply to EU-US data flows, any legal basis will be subject to invalidation or limitations under EU fundamental right”. For the time being however the Privacy Shield is a valid option to use when transferring personal data to the US.