On Tuesday the 12th of July the EU Commission announced that it had formerly adopted the new Privacy Shield as a replacement for the now defunct Safe Harbor scheme.
Safe Harbor dealt with the transfer of personal data from the EU to the US and was invalidated by the European Court of Justice on the 6th of October last year. Safe Harbor required businesses in the US to self-certify their compliance in relation to the transfer of data. Privacy Shield requires the same self-certification which can be undertaken by US businesses from 1st August this year.
Is there actually a need for Privacy Shield?
The United States is not a country which is considered by the EU to be "adequate" for the safe and lawful transfer of personal data.
In order to address this issue, the US and EU have agreed a scheme for businesses based in the United States to self-certify that they adequately meet the standards required by EU data protection laws. This will help ensure appropriate protection levels for EU citizens' personal data. Once a business is certified, they will be subject to compliance checks from the US Department of Commerce, the federal body appointed to oversee transatlantic data flows and charged with ensuring continued compliance with Privacy Shield rules once they are in force.
How will this affect UK businesses transferring personal data to the US?
From 1st August this year, a UK business will be freely able to send personal data to a business in the United States which is registered under Privacy Shield because registered US businesses will be deemed to be adequate for the safe transfer of personal data.
Up to this point, businesses who undertook transatlantic transfers of personal data were required to find another way to make sure that they met EU data protection law requirements. This almost certainly meant that businesses would be forced to enter into Model Contract Clauses with the business in the US receiving data.
However, Model Contract Clauses are themselves now being looked into and may also be invalidated by the European Court of Justice at some point, but a decision on that is some time away.
Businesses in the UK should continue to rely on existing Model Contract Clauses or another method of lawfully transferring personal data overseas for the time being until Privacy Shield comes into effect in August.
How is this affected by Brexit?
Until the UK is out of Europe, we remain subject to EU legal principles in the same way as before the Brexit vote. The General Data Protection Regulation (known as “GDPR”) will come into force across the EU on the 25th of May 2018. This falls before the end of the two year exit period for the UK set out in Article 50.
The GDPR will change the landscape of data protection law in the UK and it will mean that the Privacy Shield adequacy decision is even more relevant because failure to comply with the GDPR can have extremely serious financial consequences.
By Daniel Gardener
Subject to our terms and conditions and copyright policy.