EU-US Privacy Shield – The Long and the Short
The Long – The shield in is a strong statement of intent by the EU and the US
First off, the new agreement is still in the draft stages but over the coming weeks, we expect to see the details fleshed out. Both the EU and the US need to firm up this agreement to withstand a review by the European Court of Justice (CJEU). techUK has called on the European Commission and US Administration to show total commitment to implementing this agreement.
At this stage, it is important to wind back the clock and ask how we got here and what is at stake? The Safe Harbour agreement was an agreement which set out a framework of data protection standards for data being transferred from the EU to the US. Thousands of companies used Safe Harbour to transfers data across the Atlantic. Thousands more rely on International data transfers that underpin services right across the economy from small farmers receiving tailored weather reports to companies sharing data to protect consumers from cyber-attacks and fraud.
In October 2015, the European Court of Justice (CJEU) issued a ruling declaring Safe Harbour was invalid as a legal basis for transferring data across the Atlantic. This was the result of a case brought by Maximilian Schrems who believed his data was not being protected to an adequate level in the US.
The ruling created a legal blackhole in the heart of the EU-US data trade and empowered individual European Data Protection Authorities (DPAs) to unilaterally investigate data flows. This could potentially lead to a fragmentation of Europe’s data protection framework.
Transatlantic data flows are vital to countless services and business right across the economy, from a tourist using a credit card, booking a hotel online to a company paying its employees across Europe. These all involve data transfers.
The short – the devil is in the details
Companies will be looking for further detail on how the agreement will work. The Privacy Shield represents the great progress made by the EU and the US in finding common ground between two very different data protection regimes. For the time being business can rely on alternative legal mechanism to transfers data but we will have to wait until the end of February. Then we will have to wait and see how Europe’s DPAs react to the detail of the agreement.
The clear goal now is for the EU, US, European governments and Europe’s DPAs to come together and play a constructive role in making this agreement work.
For more information on techUK's work on international Data Transfer please contact Shane Murphy
- See more here.