This article co-authored with guest blogger Peter Wainman, a partner with Mills & Reeve LLP

Transfers of personal data from most European countries to the U.S. have been exposed to legal attack since October 2015, when privacy campaigner Max Schrems successfully sued the Irish authorities over data transfers made by Facebook Ireland.  The main objection with the Safe Harbor was that transferring EU citizens’ data to the U.S. subjected the data to the U.S. government’s bulk surveillance.

That David-and-Goliath litigation saw the end of the “Safe Harbor” decision protecting transatlantic data flows when the European courts declared it invalid. While other legal methods of data transfer are available, the Safe Harbor was widely relied on especially by technology businesses.

A new Privacy Shield

Since then, the EU and U.S. authorities have been working on a replacement – the EU-US “Privacy Shield.” After a first attempt was rejected by national and EU regulators, a tightened-up version has now passed the test. The U.S. Department of Commerce has a useful fact sheet and a guide to certification available on its website. Likewise, the European Commission’s press release and FAQs document provide a helpful summary.

The revised version of the Privacy Shield consists of: an adequacy decision describing the system of self-certification through which US organizations commit themselves to a set of privacy principles; and a set of seven Annexes dealing with the arrangements that the U.S. authorities will implement to safeguard EU citizens’ data.

US companies will be able to self-certify with the U.S. Department of Commerce beginning on August 1. There will be an annual joint review process to check that the system is working.

Certainty offered by agreement of the Privacy Shield has been widely welcomed. The Privacy Shield requires the creation of a new U.S. authority intended to address concerns of EU citizens about U.S. government surveillance.   However, this may not be the end of the story. Max Schrems, the activist responsible for the demise of its predecessor,  has told journalists that Privacy Shield is full of holes, and as such is likely to fail a legal challenge – although he does not want to be the one to bring it.

What does this mean for the UK?

The UK privacy regulator, the ICO, has indicated that it will press for UK laws to track those of the EU.

It may be that the UK will adopt most of the changes due to take effect in 2018 under the  GDPR, but leave out some of the more onerous obligations that could impede the activity of SMEs for example. If the UK ends up with a relatively distant relationship with the EU compared to an EEA member like Norway, privacy laws could diverge. In that case, the UK will have to demonstrate adequacy of protection for European citizens’ privacy, like the US has done, if it is to do business freely across Europe.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kathleen Porter Kathleen Porter

Kathy Porter’s practice straddles the areas of intellectual property, business transactions, trade regulation, and Internet law and includes import/export control issues, such as compliance and enforcement, competition, privacy, and data security. She counsels businesses on the development and implementation of data security and…

Kathy Porter’s practice straddles the areas of intellectual property, business transactions, trade regulation, and Internet law and includes import/export control issues, such as compliance and enforcement, competition, privacy, and data security. She counsels businesses on the development and implementation of data security and privacy practices to comply with the patchwork of laws and rules applicable to the collection, use, safeguarding, sharing, and transfer of protected or personal data. She regularly structures arrangements with promoters, marketers, website exchanges, and other third parties for the purchase, sale, sharing, and safeguarding of personal data. Kathy prepares and negotiates representations, warranties, and indemnities regarding personal or protected data and privacy and data practices. She also assists clients with privacy audits and works with third-party certification organizations to obtain certification of companies’ privacy practices. She guides clients through internal investigations to assess and address notice and other obligations regarding privacy breaches. Kathy often works closely with our litigation attorneys to manage external investigations such as those by federal or state regulators. Read her rc.com bio here.