The EU-US data transfer framework known as Safe Harbor was declared invalid by the European Court of Justice (ECJ) on 6 October 2015 in the Schrems ruling. Now, the European Commission has adopted a new regime, known as the EU-US Privacy Shield, to address the concerns raised by the ECJ when it struck down Safe Harbor. Based on the new regime, companies will be able to transfer personal data across the Atlantic – including data on employees and customers.

The legal background

The legal background for the new Privacy Shield is the EU Data Protection Directive. According to the Directive, a specific legal basis is required to transfer personal data to a third country, regardless of the nature of the personal data. This will also be the case when the Directive is replaced by the General Data Protection Regulation (GDPR) in 2018, as the GDPR contains similar requirements.

Under the Directive (and the GDPR), various instruments are accepted as legal basis for transferring personal data to a third country. The most common instrument is entering into an agreement implementing what is known as ‘EU Model Clauses’ (standard EU approved terms for data transfer). However, in relation to transferring personal data to the US, another common instrument was signing up to the ‘Safe Harbor’; a framework approved by the Commission and operated by the US Department of Commerce. Companies in the US that had joined the Safe Harbor framework were regarded as ensuring “an adequate level of protection” for personal data, allowing personal data from the EU to be transferred to such companies.

Oct-Dec 2016 Issue

Norrbom Vinding