Data Transfers to the US – Safe Harbor is dead, but long-live the EU/US Privacy Shield?

Data Transfers to the US - Safe Harbor is dead
Posted on | Updated on

A blog by Squire Patton Boggs

A legal challenge brought by an Austrian law student, Max Schrems, led to a landmark change in the law governing the transfer of personal data from the European Union to the US.

EU data protection law tries to ensure that the same strict rules in the EU on the use of data about individuals (so called “personal data”) apply when that data is transferred to a country outside the EEA (which consists of the EU countries, plus Norway, Iceland and Liechtenstein).

It does this by requiring the EU company to put certain specific measures in place to protect the data before it is transferred to the recipient outside the EEA (or even accessed by them).

The demise of Safe Harbor

Up until 6 October 2015, if the recipient of the personal data was based in the US and had certified to the ‘Safe Harbor’ framework, then (as long as the certification covered the particular type of data to be transferred), the company in the EU could happily transfer personal data to them.

However on 6 October 2015 the Court of Justice of the European Union (CJEU) ruled that the Safe Harbor framework did not properly ensure that EU personal data was protected by the US companies that subscribed to it, particularly from the mass, indiscriminate collection of data by US authorities. In addition, the regime also failed to provide EU individuals with effective rights of redress if their privacy rights were infringed.

This led to some pretty frenetic negotiations between the US and the EU bodies to come up with a replacement structure, that could enable the free transfer of data from EU to US companies, but which would address the concerns of the CJEU.

The rise of the Privacy Shield

On 12 July 2016 the EU/US Privacy Shield was born. A similar regime to Safe Harbor, it requires a US company to self-certify that it agrees to abide by a set of privacy principles. It is a much more robust framework, however, with specific rights of redress afforded to EU individuals.

Nevertheless (some people are never satisfied!), just over two months after the Privacy Shield opened for business, on 16 September 2016 a legal challenge was filed in the CJEU by Digital Rights Ireland (a privacy advocacy group) alleging that the Privacy Shield was still not sufficient to protect EU data.

How does this affect your business?

Businesses in the EU should be aware that any transaction which may require personal data to be sent to (or accessed by) a US company should factor in the necessary compliance with the local privacy laws in the country in which they are located.  Watch out for less obvious data transfers, such as your EU service provider hosting data in the US or allowing access to it by a US sub-contractor.

If the recipient of your personal data is still relying on its Safe Harbor certification, this is no longer sufficient to comply.

If the US company has certified to the Privacy Shield, then (provided the certification covers the type of data and transfer), no further measures need to be taken to comply with this rule. Although this may change, for example, if the legal challenge by Digital Rights Ireland is successful, and note that the rules on international data transfers are just one aspect of EU data protection law which must be complied with.

In the absence of the recipient US company having a Privacy Shield certification (or if the recipient is based in another non-EEA country), the EU business will need to consider what other measures it can put in place to comply, such as:

  • Standard Contractual Clauses – entering into a standard form agreement approved by the European Commission with the recipient, although these clauses are also the subject of a legal challenge;
  • Binding Corporate Rules – data transfers between group companies can benefit from having this specific set of rules in place to provide the necessary data protections, once they have been approved by the relevant data privacy authority; or
  • Consent – for small, incidental data transfers, it may be possible to rely on the informed consent of the individual which the data relates to.

In this fast-moving area, it’s worth keeping up to date on developments, such as the results of the outstanding legal challenges and the effect of the new EU General Data Protection Regulation which will come into force in the EU from 25 May 2018. So watch this space…

© 2017 Squire Patton Boggs (UK) LLP

Squire Patton Boggs is one of the world’s strongest integrated law firms, delivering commercially focused legal solutions to a diverse mix of clients. With offices on five continents, we provide unrivalled access to expertise domestically and across borders. Our global Data Privacy & Cybersecurity team consists of experts in their field with a comprehensive knowledge of the changing EU data privacy landscape and they are already advising SMEs, multi-nationals and global organisations on their new EU data privacy obligations.

For further advice about any data protection law issues or queries please contact:

Francesca Fellowes
Senior Associate
Intellectual Property and Technology
T: +44(0)113 284 7459

Emma GarnerAssociate
Intellectual Property and Technology
T: +44(0)113 284 7416

© 2024 Purple. All Rights Reserved.