HomeInsightsTransferring Data to the US

We reported at the end of last year that the Court of Justice of the European Union (the CJEU) had on 6 October 2015 invalidated the Safe Harbor scheme for transfer of personal data from the EU to the US with immediate effect.

Since that decision the EU and US have been working together on a new scheme for transferring personal data to the US, named Privacy Shield. With both sides acutely aware of the economic and political stakes involved, the efforts have been significant but are not yet complete. Industry must bear in mind the importance of ensuring its compliance with current EU law.

Privacy Shield was agreed in principle on 2 February and on 29 February the European Commission issued a draft ‘adequacy finding’ indicating that the new regime should be compatible with EU data protection legislation. This draft is currently being reviewed by national data protection authorities and will need to be approved by the College of Commissioners before becoming a lawful vehicle for transferring personal data to the United States.

There has been a lot of press on the developments of Privacy Shield. However it is important to note that the new scheme has not yet been officially sanctioned and therefore does not currently facilitate the transfer of personal data to the US. While it seems likely that the Shield will ultimately be approved, it should not be taken for granted. Furthermore, in the event that Privacy Shield is formally implemented US companies will need to commit to robust obligations on how personal data is processed and how data subject’s rights will be guaranteed. This will be monitored by the Department of Commerce in the US. We will provide an update on the precise requirements of Privacy Shield when and if it is brought in to force.

In the interim, companies should be mindful that any personal data being transferred to the US under the old Safe Harbor or in anticipation of Privacy Shield and without current adequate measures in place (such as Model Clauses) will be in breach of data protection law. Organisations that are ‘waiting’ for Privacy Shield to be passed but continue to transfer personal data in the interim are at risk of enforcement action. While there has been some forbearance by national authorities, this can no longer be relied upon. For example, the Hamburg Data Protection Authority announced last week that it is planning to fine a company for transatlantic transfers without implementing adequate measures.