The EU-US Privacy Shield enables personal data to flow from the EU to the US and back. The Privacy Shield replaces the safe harbour arrangement and provides Europeans with greater protection of their personal data. Without it, it would be illegal for entities or data controllers to transfer data from the EU to the US and back again. US entities (like Google, Facebook and others) would not be able to process the data of Europeans.

What happened to the Safe Harbour Agreement?

We all remember those happy days when the Safe Harbour agreement was in operation. The Safe Harbour agreement allowed entities to transfer data from Europe to the US under the misconception that the US was a ‘safe harbour’ for the processing and storage of personal data. Unfortunately, it turned out that the safe harbour was in fact shark infested waters. The European Court of Justice declared the Safe Harbour agreement invalid in October 2015 on the grounds that EU citizen’s personal data was not adequately protected particularly from inference and surveillance by US authorities.

 The European Court of Justice declared the Safe Harbour agreement invalid

Since that decision delegations from the EU and US have been working on reaching a new agreement that would enable the safe passage with adequate protection of data between the EU and the US.

What is the EU-US Privacy Shield?

On 2 February 2016, the European Commission and the United States agreed on a new framework called the EU-US Privacy Shield and issued a press release. The idea behind the EU-US Privacy Shield is that it will create a blanket permission that allows for the flow of data between the US and EU (like the Safe Harbour) but this time round the EU has demanded American intelligence agencies are limited in their collection of data on Europeans.

The EU-US Privacy Shield enables data to flow between the US and EU

Latest Developments

On the 29 February 2016, the European Commission released another press statement outlining the principles that will form the backbone of the legal text for the Privacy Shield. These principles are:

  • There will be strong obligations on companies to be transparent and comply with regulations. These obligations will be strictly enforced and companies will face sanctions and exclusion if they do not comply.
  • In terms of US government access to personal data, there must be clear safeguards, limitations and oversight mechanisms put in place to prevent generalised access to personal data.
  • An independent Ombudsman within the Department of State must be established. Europeans will be able to file complaints with this Ombudsman and inquire into whether the US government has complied with the relevant laws.
  • The focus is on the protection of EU citizens’ rights. In order to give effect to those rights, complaints involving companies have to be resolved within 45 days, free alternative dispute resolution services and a final arbitration remedy must also be available to EU citizens.
  • Companies that are handling human resource data are required to comply with advice from European Data Protection Authorities.
  • An annual review mechanism of the Privacy Shield will also be put in place.

The US government will have to make written assurances to this effect which will be regularly reviewed by European officials. The negotiating parties still have to decide on a specific set of rules, but EU officials have indicated that the 1995 Directive on data protection and the new General Data Protection Regulation (GDPR) are likely to the basis for guiding principles.

Some might argue that what the US really needs to do is enact an umbrella data protection law, like the Consumer Privacy Bill of Rights Act (CPBORA). In the meantime, the progress of Privacy Shield must be observed closely because it is going to have a significant effect on all businesses that involve data transfer between the EU and the US. In addition, the interaction between the General Data Protection Regulation and the EU-US Privacy Shield is going to an extremely important relationship in international data privacy law.