Tag: EU/US Safe Harbour Decision

1
The EU-US Privacy Shield has been released
2
‘EU-US Privacy Shield’ agreed for trans-Atlantic data flow
3
European Court of Justice Declares EU/US Safe Harbour Decision Invalid

The EU-US Privacy Shield has been released

By Cameron Abbott and Meg Aitken

The European Commission has now officially released the EU-U.S. Privacy Shield, which sets out the key requirements and principles for trans-Atlantic data flow between Europe to the US.

Read our colleague’s article on the announcement here.

Alternatively, access the European Commission’s Press Release here.

‘EU-US Privacy Shield’ agreed for trans-Atlantic data flow

By Cameron Abbott and Meg Aitken

A new trans-Atlantic data transfer framework has been agreed between the European Commission and the United States this week. Known as the ‘EU-US Privacy Shield’, the new arrangement is intended to offer greater legal certainty for businesses and afford EU citizens increased protection when their data is transferred across the Atlantic to the US.

The new regulations will replace the US-EU Safe Harbor framework, which was invalidated by the European Court of Justice last October on the basis that the generalised access that public authorities had to the data and content of electronic communications violated fundamental privacy rights. Read our earlier blog post on the Safe Harbour decision here.

The key features of the new EU-US Privacy Shield are:

  • Stronger obligations on US companies to protect the personal data of EU citizens
  • More robust enforcement powers granted to both EU and US regulators, including greater monitoring and prosecution by the US Department of Commence and Federal Trade Commission (FTC)
  • Clearer conditions, limitations, redress avenues and safeguards for data transferred across the Atlantic
  • Expanded obligations for US companies to prove compliance
  • Several new avenues for EU citizens to lodge complaints about data misuse, including the establishment of a new independent privacy Ombudsman

The new Privacy Shield is still awaiting final approval from the College of Commissioners and will be subject to further review by the Article 29 Working Party before it is introduced. Much of the detail has not been released, so while the principles have been articulated, the impact on the obligations of affected companies is still far from clear.

Read the European Commission press release here for further details.

Our US and EU colleagues have drafted a more detail description which can be accessed here for further information.

European Court of Justice Declares EU/US Safe Harbour Decision Invalid

By Cameron Abbott and Melanie Long

The European Court of Justice has declared a decision by the European Commission on the legitimacy of the EU/US safe harbour scheme (safe harbour decision), invalid. In the wake of the Snowden scandal, Austrian citizen, Maximilian Schrems, lodged a complaint against Facebook with the Data Protection Commissioner in Ireland (the location of Facebook’s European headquarters). The Irish supervisory authority rejected Mr Schrems’ complaint on the basis of the safe harbour decision. In invalidating the safe harbour decision, the European Court of Justice declared that “legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life.” Further, that the safe harbour scheme, by not providing for an individual to pursue legal remedies in order to have access to personal data relating to them, or to obtain the rectification or erasure of such data, compromised, “the essence of the fundamental right to effective judicial protection, the existence of such a possibility being inherent in the existence of the rule of law.”

The consequence of this decision is that the EU/US safe harbour scheme is contrary to the Data Protection Directive, which provides that the transfer of personal data to a third country may, in principle, take place only if that third country ensures an adequate level of protection of the data.

The European Court of Justice’s press release can be found here.

To read the full judgment of the European Court of Justice click here.

Copyright © 2019, K&L Gates LLP. All Rights Reserved.