The EU and the US have agreed the structure of a new ‘Privacy Shield’ to protect the personal data of EU citizens when it is transferred to the US. The new arrangements have been rushed through after a decision of the European Court of Justice declared the old ‘Safe Harbor’ regime inadequate (see our comments on that decision in our Talking Finance post Safe Harbor torpedoed?)
The data protection regime
The European Data Protection Directive was designed to provide a Europe-wide regime to protect the rights of individuals by imposing limits and protections on the use of their personal data. In the UK, this resulted in the Data Protection Regulations 1998 which set out a number of ‘data protection principles’. One of these, known as the ‘data export principle’, aims to prevent data being transferred to a country where it won’t be protected.
The ‘data export principle’ prevents the personal data of individuals being transferred from the EU to a country or territory outside the EEA unless that country or territory provides ‘adequate protection’ for the rights and freedoms of the individuals.
The European Commission has previously issued a number of ‘community findings’ confirming that particular territories have data protections laws which provide adequate protection.
In the case of the US, back in 2000 the EU and the US Government agreed a set of Safe Harbor principles. US companies which self-certified their compliance with those principles were deemed to offer adequate protection and so transfers of personal data to those companies would not breach the data export principle.
The Safe Harbor framework operated for 15 years until last December’s decision that it wasn’t up to scratch after all.
Although the new Privacy Shield has replaced the Safe Harbor regime, it operates in a similar way: US companies will be able to self-certify to the US Department of Commerce that they comply with the Privacy Shield framework from 1 August 2016.
There are, however, some significant changes to the framework requirements, in particular limiting the access of law enforcement and national security agencies to an individual’s data. In addition, the US Department of Commerce will conduct regular reviews of participating companies to ensure that they continue to follow the agreed framework.
The road ahead
The European data protection regime is due to be updated by a new General Data Protection Regulation which will apply to all European member states from May 2018. The UK’s decision to leave the EU has cast doubt on whether and to what extent that new law will be implemented in the UK.
For now, however, it’s business as usual and any UK organisation proposing to transfer personal data to a US company should check that it is included in the new Privacy Shield.