Privacy Shield Update, March 2016

INTRODUCTION

The Privacy Shield is the new framework for commercial data exchange between the United States and the European Union. A response to the Schrems1 decision which invalidated the previous Safe Harbor regime, the Privacy Shield aims to restore trust in transatlantic data flows while ensuring the rights of Europeans and providing legal certainty for businesses.

This briefing looks at the Privacy Shield, focusing on how the new framework will operate in practice and the differences between it and Safe Harbor.

SAFE HARBOR AND THE SCHREMS DECISION

The EU Data Protection Directive (95/ 46/ EC) requires that personal data may only be transferred to non-EEA countries if those countries ensure an adequate level of protection for the personal data. The adequacy of the protection is assessed with regard to the country's domestic law and the international commitments it has in place for the protection of the private lives and basic freedoms and rights of individuals.

The Safe Harbor Agreement (2000/520/EC) was a voluntary initiative which allowed American organisations that carried out data processing in the EU to self-certify that their processing was undertaken in accordance with the provisions of the EU Data Protection Directive. However, the Court of Justice of the European Union (CJEU) invalidated the Safe Harbor Agreement in the Schrems decision in October 2015. Schrems arose out of a complaint by an Austrian national, Max Schrems, that personal data of his supplied to Facebook in the US by Facebook Ireland was not being processed in accordance with European data protection standards. As the transfers were subject to Facebook's Safe Harbor certification, and on the basis that Safe Harbor was one of the methods approved by the EU Commission under the Data Protection Directive to validate such transfers, the Irish Data Protection Commissioner had rejected Mr Schrems' complaint. Mr Schrems appealed this decision to the Irish High Court who in turn referred the matter to the CJEU. His concerns followed revelations by Edward Snowden regarding alleged widespread monitoring of data by US security agencies.

The CJEU decided in favour of Mr. Schrems principally on two grounds. First, it was held that in approving Safe Harbor, the Commission had failed to ensure that the US provided a level of protection of fundamental rights which was equivalent to that guaranteed in the EU. Secondly, the Safe Harbor Agreement potentially deprived data subjects of their rights of access to Data Protection Supervisory Authorities who are vested with the authority to exercise independent oversight of data controllers within their jurisdiction.

The Schrems decision had the practical effect of rendering the Safe Harbor regime invalid. This judgment is part of an increasing body of case law which recognises the protection of personal data as being guaranteed by the Charter of Fundamental Rights of the European Union.

THE PRIVACY SHIELD

The Privacy Shield is...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT