News

The EU-US Privacy Shield - A suitable replacement for safe harbour?

In October we reported that the ECJ had ruled the Safe Harbour agreement to be invalid. Following the ruling discussions have been taking place between the EU and US with a view to replacing Safe Harbour. The EU-US privacy Shield has now been announced which hopes to provide a workable solution.

What was Safe Harbour?

European legislation prohibits the transfer of personal data to a country outside the EU unless the country ensures an "adequate level of protection of personal data". The Safe Harbor scheme was a set of principles and rules for processing personal data. US organisations wishing to transfer personal data from the EU to the US could subscribe to the scheme voluntarily with the US Department of Commerce. An agreement was reached between the US and the European Commission in 2000 that US companies that subscribed to Safe Harbour would be considered to be operating within the requirements of the European legislation requirements. However, last year the ECJ disagreed.

The EU-US Privacy Shield

The EU-US Privacy Shield aims to provide a more robust and transparent mechanism to protect EU citizens’ data transferred to the US. The new arrangement will create stronger obligations for US companies to protect personal data and greater enforcement measures by US authorities.

The collapse of Safe Harbour came about because Ed Snowden alleged that the NSA had gained access to personal information regarding Europeans (and other foreign nationals) from the giant tech companies. Under the EU-US Privacy Shield, US intelligence agencies will be limited to processing EU citizens’ personal data for law enforcement and national security purposes only to the extent that such processing is “necessary and proportionate”.

EU citizens will also have increased rights of redress and the option to refer a dispute to a newly appointed Ombudsman.

What happens now?

At present, we continue with a state of uncertainty. The EU-US Privacy Shield has only been agreed in principle. It is still many months away from being finalised. In the meantime, we recommend that businesses should consider:

  • Does personal data really need to be shared with the US entity?
  • Can the data be anonymised? If so, the Data Protection Act will not apply. This can be difficult to achieve in practice without the data losing its usefulness;
  • Whether model contract clauses are/should be put in place. These clauses have been approved by the EU as ensuring adequate protection.

Posted on 02/28/2016 by Ortolan

Get in Touch

If you would like to know more about Ortolan Legal and how we can help you reduce your ongoing recruitment costs, get in touch!

Email us now

   Or call 020 3743 0600

Ortolan Legal have supported us with some very tricky tribunal issues. They are very commercially focussed and truly understand our business. They give really commercial, practical advice which supports our business.

Sharon Eley, Shared Services Director, National Car Parks Limited
See All
Receive news & updates from Ortolan Legal

Meet the Team

  • Nick Benson Nick Benson I qualified as a commercial and corporate solicitor…
  • Liz Delgado Liz Delgado I qualified as a solicitor in 1995 after studying…
  • Carrie Beaumont Carrie Beaumont I qualified as an Employment specialist in 2008. I…