New transatlantic data flow framework – the Privacy Shield

At the beginning of February, the European Commission and the United States agreed on a new framework for transatlantic data flows, the so-called EU-US Privacy Shield. The agreement is the reaction to a judgment of the European Court of Justice from the 5th of October 2015 that says that the current transatlantic data transfer framework, known as the Safe Harbour is invalid and cannot be used any longer.

The agreement enabled the data transfer from the EU to the United States freely, because American companies that signed this agreement agreed to meet the European data protection conditions that are stricter than those in the US. However, the decision of the court claimed that the Safe Harbour is not valid as it concluded that American surveillance authorities had access to personal data of European users. The new agreement should put stronger obligations on American companies that deal with European personal data. In addition, the US assured that it will limit the possibility to access personal data of European citizens to public authorities for law enforcement and national security reasons. Furthermore, if an EU citizen feels that his/her personal data have been abused, there are several redress possibilities embodied in the agreement.

The Privacy Shield agreement announcement was welcomed by the business community because the invalidation of Safe Harbour caused serious problems and uncertainty for both EU and US-based companies. EU businesses, therefore, urge the Commission to finalize Privacy Shield negotiations as soon as possible and give companies a sufficient time to adapt to new rules, which is especially important for SMEs.