The new framework regulating the transfer of personal data between the EU and the U.S. has been available as of 1 August 2016.
The new framework regulating the transfer of personal data between the EU and the U.S. has been available as of 1 August 2016. The new “Privacy Shield” replaces the old regime known as “Safe Harbor”. The regime may be useful for U.S. corporations with EU branch offices and having data centers in the U.S. The new regime is available for U.S. parent companies at the following website: www.privacyshield.gov.
The Safe Harbor framework was adopted by EU Commission decision No. 2000/520/EC. The reason for creating the framework was the EU data protection legislation. The legislation only allowed the transfer of EU citizens' personal data to third countries if the regulations of that third country ensured adequate protection. Historically, the U.S. did not guarantee adequate protection. Therefore, under this regime, U.S. corporations undertook additional commitments. The regime operated with several flaws and under heavy criticism for over a decade, until the European Court of Justice invalidated the previous decision of the EU Commission last October. The regime was invalidated due to the excessively broad scope of data transfers allowed under the regime and the lack of appropriate warranties.
As a result, no data transfer has been legally possible to the U.S. since last October, with the exception of transferring data through model contracts, binding internal by-laws (and the relocation of data centers to the EU). Finally, the uncertain situation was ended by adopting the new EU-US agreement in July, 2016. The most important elements of the new regime are the following:
We hope that the new regime will fulfill its purpose and simultaneously remedy the deficiencies of the previous regime, such as the lack of review mechanisms and enforceability, while also creating a more comprehensive legal environment.