New EU-US Data Protection Shield ("Privacy Shield") comes into effect
Update Data Protection No. 12
On July 12, 2016, the EU Commission finalized the adoption procedure for the new EU-US data protection shield ("Privacy Shield"). The new Privacy Shield has therefore come into force after months of negotiations, and is intended to replace the controversial Safe Harbor Agreement that was last year declared ineffective by the ECJ. The aim of the new Privacy Shield Agreement is to create a new, improved protection framework for the transfer of personal data from the European Union to the USA.
1. In its Safe Harbor judgment dated October 6, 2015 (legal matter C-362/14), the ECJ declared that the transfer of personal data by European companies to the USA on the basis of the Safe Harbor Agreement is invalid. This created major uncertainty in companies in terms of how to ensure a legally conform transfer of personal data. This situation was further aggravated in various member states, as in the last months local data protection authorities began imposing fines against individual companies that had not adapted their data transfer in legally conform manner, or had not done so in sufficient time (we reported on corresponding actions by the Hamburg data protection authority in Data Protection Update 11/2016).
2. As a result of the new Privacy Shield, companies in the European Union now have a further possibility at their disposal for the legally conform transfer of personal data to the USA - in addition to the Standard Contractual Clauses (EU Model Contracts) and Binding Corporate Rules (BCR) that remain available.
3. A precondition for data transfer on the basis of the Privacy Shield Agreement is the registration of a company as well as a declaration of compliance with the legal requirements of the Privacy Shield when transferring personal data. Compared to the Safe Harbor Agreement, there are a number of preconditions that have been significantly tightened. On top of this, the new Privacy Shield establishes stricter supervision and control mechanisms (in this regard see our Data Protection Update 06/2016). Examples include the fact that the self-declaration by a company must be renewed annually, and that compliance with the Privacy Shield principles is to be monitored continuously by the responsible US Department of Commerce. Accordingly, the registered companies are obliged to ensure that data transfer is always carried out in complete conformity with the new Privacy Shield rules.
4. It remains to be seen whether the Privacy Shield actually brings the success desired by the EU Commission. From the perspective of various data protection associations and authorities, there are still major points of criticism, and it is to be expected that the Privacy Shield will be examined by the ECJ in the near future, in a similar way as the Safe Harbor Agreement. Taken this into account, it is not yet foreseeable to what extent the new Privacy Shield will then stand up to such an examination. In view of the highly persistent criticism, there is certainly cause for doubt here.
5. The situation for companies is therefore that the new Privacy Shield in principle constitutes an effective basis for data transfer to the USA. Nevertheless, if the transfer of personal data to the USA is currently already being carried out on the basis of the Standard Contract Clauses or Binding Corporate Rules, this framework should be maintained. However, companies that have to deal with the transfer of personal data and its legal construction for the first time, should think very carefully about whether, in view of the uncertain future, whether a recourse to the Privacy Shield currently appears advisable.
6. It should also be noted that only data transfer from the European Union to the USA is affected. Data transfer to other third countries cannot be legitimated in this way.