EU – US: Personal data transfers from EU to US back to normal again?

On Friday, 8 July, 2016 the EU Member States approved the final version of the “Privacy Shield”, the renewed safe framework allowing for data flows from the EU to the US. This Privacy Shield serves as the alternative for the old “Safe Harbour” which was invalidated by the European Court of Justice.

Following the European Commission, the Privacy Shield is fundamentally different from Safe Harbour, as it imposes “clear and strong obligations on companies handling the data and makes sure that these rules are followed and enforced in practice”.

For example:

  • The access of US law enforcement and national security agencies will be subject to clear limitations, safeguards and oversight mechanisms.
  • Complaints have to be resolved by companies within 45 days. A free of charge Alternative Dispute Resolution solution will be available.
  • EU citizens can also go to their national Data Protection Authorities, who will work with the US Federal Trade Commission to ensure that unresolved complaints by EU citizens are investigated and resolved.

Now that the Member States have approved the final text, it is expected that the European Commission will soon formally adopt the decision. The EU and US policy makers are comfortable that the new agreement will satisfy the requirements of the ECJ ruling.

Once adopted, US organisations will be able to engage in a self-certification mechanism and to have themselves registered as Privacy Shield certified, allowing them to receive personal data sourced in the European Union.

In this networked world, with so much data sharing between Europe and the United States, many international companies hope that transatlantic data flows will become business as usual again.