Potential Successor of US Safe Harbour: EU-US Privacy Shield
Information law solicitor Natalie Ruane looks at a new framework for data flow between the EU and US following the recent decision that the safe harbour framework was invalid.
Following the recent decision of the European Court of Justice (ECJ) declaring the Safe Harbour Framework invalid, the Commission have prepared a new framework for data flow between the EU and US.
The Commission declared Safe Harbour invalid on the premise that it no longer adequately offered the same or a better level of protection with regard to data protection as the EU did. In particular it was concerned over the freedom of the US authorities, general access to data which had very little limitation; and in light of that general access, the public (EU Citizen) had no right to challenge any potentially unlawful access.
The new framework, EU-US Privacy Shield, includes the following provisions:
- US companies importing EU data must publish their data policies making them enforceable under US law. Any company handling human resources data from EU must comply with decisions of any Data Protection Authority in the EU. For instance, if an UK company outsources human resources data handling to somewhere in the US, then that US company must follow UK Data Protection Authority decisions.
- US authorities will no longer have free reign over whose data they can access. The US authority must now follow clear safeguards and obligations subject to necessity and proportionality. There will no longer be mass surveillance.
- There will be a joint report produced by the EU and US over the implementation of the Privacy Shield. This is with the aim to update and rectify potential issues as well as to ensure that it does not become outdated.
- EU citizens will have a right to redress should they believe their data protection rights have been breached in some way. For instance if a complaint is made to an EU Data Protection Authority about a US company, the DPA has the authority to refer the complaint to the US equivalent, alternatively there will also be a new Ombudsperson.
The US will need to ensure that they have the provisions in place to fulfil their obligations and the EU will need to confirm that the above proposal satisfies the current EU Data Protection requirements before it is implemented.
About the author
Natalie is a Partner and leads the Employment Law & HR team and specialises in education.
Published: Monday 21st March 2016
Categorised: Information Law