Transfers of personal data from most European countries to the US have been exposed to legal attack since October 2015, when privacy campaigner Max Schrems successfully sued the Irish authorities over data transfers made by Facebook Ireland.
That David-and-Goliath litigation saw the end of the “Safe Harbor” decision protecting transatlantic data flows when the European courts declared it invalid. While other legal methods of data transfer are available, the Safe Harbor was widely relied on especially by technology businesses.
A new Privacy Shield
Since then, the EU and US authorities have been working on a replacement – the EU-US “Privacy Shield” After a first attempt was rejected by national and EU regulators, a tightened-up version has now passed the test. The Commission's press release and FAQs document provide a helpful summary.
The revised version, consisting of:
- an adequacy decision describing the system of self-certification through which US organisations commit themselves to a set of privacy principles; and
- a set of seven Annexes dealing with the arrangements that the US authorities will implement to safeguard EY citizens' data.
US companies will be able to certify themselves with the US Department of Commerce from 1 August. There will be an annual joint review process to check that the system is working.
While the certainty offered by agreement of the Privacy Shield has been widely welcomed, this may not be the end of the story. Max Schrems, the activist responsible for the demise of its predecessor, has told journalists that the deal is full of holes and likely to fail a legal challenge – although he does not want to be the one to bring it.
What does this mean for the UK?
UK privacy regulator, the ICO, has indicated that it will press for UK laws to track those of the EU.
It may be that the UK will adopt most of the changes due to take effect in 2018 under the GDPR, but leave out some of the more onerous obligations that could impede the activity of SMEs for example. If the UK ends up with a relatively distant relationship with the EU compared to an EEA member like Norway, privacy laws could diverge. In that case, the UK will have to demonstrate adequacy of protection for European citizens' privacy, like the US has done, if it is to do business freely across Europe.