This week the Privacy Shield Agreement was formally approved for data transfers between EU member states and the US.
As previously reported, Privacy Shield is the replacement for the former Safe Harbor Agreement, declared unlawful by the Court of Justice of the European Communities (CJEU) in October last year, since when EU based employers who transfer their employees’ data to the US have been in a legal limbo.
Privacy Shield was agreed in draft between the US Government and the EU Commission in February this year. It provides increased protection for data relating to subjects of EU member states through:
- a US ombudsman to handle complaints from EU citizens about Americans viewing their data without permission;
- written commitments from the US Office of the Director of National Intelligence that EU citizens’ personal data will not be subject to mass surveillance;
- a joint annual review to ensure that this new system is working properly;
- EU data protection authorities to work with the Federal Trade Commission to address any flagged problems; and
- companies being barred from making use of this process if they do not comply with privacy safeguards.
These proposals were initially rejected as inadequate by the EU working party dealing with data protection issues in February, particularly due to the perceived lack of independence of the Ombudsman and the continuing concerns over the possibility of mass surveillance of data. It appears that further assurances from the US Office of the Director of National intelligence that EU citizens’ data would not be subject to mass surveillance, have now satisfied most, though not all, member states – representatives from Austria, Slovenia, Bulgaria and Croatia abstained from the vote, saying that they still had concerns that the text of Privacy Shield did not go far enough.
Now that it has been formally adopted, Privacy Shield restores a legal means by which EU-based companies may transfer employee data to the US, provided that the US entity receiving the data has formally adopted it. Adoption is not a legal obligation but, if the US entity cannot show it intends to abide by the terms of Privacy Shield, data transfers of EU subjects personal information to it will not be lawful.
David Widdowson, Partner at Abbiss Cadres commented on the Privacy Shield Agreement saying: “This is a major step forward after months of uncertainty and a two year negotiation period between the US and the EU. The EU Commission has now issued a “adequacy decision” to Member States which means that data transfers to the US under Privacy Shield are now lawful.”
Disclaimer
Content is for general information purposes only. The information provided is not intended to be comprehensive and it does not constitute or contain legal or other advice. If you require assistance in relation to any issue please seek specific advice relevant to your particular circumstances. In particular, no responsibility shall be accepted by the authors or by Abbiss Cadres LLP for any losses occasioned by reliance on any content appearing on or accessible from this article.
Circular 230 disclosure
To ensure compliance with requirements imposed by the IRS and other taxing authorities, we inform you that any tax advice contained in this article (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties that may be imposed on any taxpayer or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein.