From 1 August 2016, you can transfer personal data from the EU to organisations in the US that have committed to adhere to the principles of the EU-US Privacy Shield. Here we examine what this means for UK and other EU businesses.
Privacy Shield: a reminder of the story so far
You may recall our briefing in April this year. EU data protection law provides that personal data must not be transferred to a territory outside the EEA unless that territory ensures an adequate level of protection. The European Commission may make a positive finding of adequacy in relation to a third party territory (which is then binding on Member States). Even if a territory's laws have not been found adequate, a transfer of personal data may still be lawful on a number of other grounds, but these are beyond the scope of this briefing.
No general finding of adequacy has ever been made in relation to the US, so the "Safe Harbor" program was approved in 2000 as a method of providing adequate protection for data transfers to the US. (Other methods of permitting transfers to the US also exist).
In October 2015, the Court of Justice of the European Union (CJEU) declared the Safe Harbor framework invalid, in the case of Maximillian Schrems v Data Protection Commissioner. The case stemmed from a complaint filed by privacy campaigner Max Schrems at the Irish DPA, in respect of the transfer of his data by Facebook Ireland to Facebook Inc, located in the US. In July 2016 (after some delay and criticism from the Article 29 Working Party and others – see box), the European Commission adopted a replacement for the Safe Harbor – the EU-US Privacy Shield.