In October we reported that the ECJ had ruled the Safe Harbour agreement to be invalid. Following the ruling discussions have been taking place between the EU and US with a view to replacing Safe Harbour. The EU-US privacy Shield has now been announced which hopes to provide a workable solution.

What was Safe Harbour?

European legislation prohibits the transfer of personal data to a country outside the EU unless the country ensures an "adequate level of protection of personal data". The Safe Harbor scheme was a set of principles and rules for processing personal data. US organisations wishing to transfer personal data from the EU to the US could subscribe to the scheme voluntarily with the US Department of Commerce. An agreement was reached between the US and the European Commission in 2000 that US companies that subscribed to Safe Harbour would be considered to be operating within the requirements of the European legislation requirements. However, last year the ECJ disagreed.

The EU-US Privacy Shield

The EU-US Privacy Shield aims to provide a more robust and transparent mechanism to protect EU citizens’ data transferred to the US. The new arrangement will create stronger obligations for US companies to protect personal data and greater enforcement measures by US authorities.

The collapse of Safe Harbour came about because Ed Snowden alleged that the NSA had gained access to personal information regarding Europeans (and other foreign nationals) from the giant tech companies. Under the EU-US Privacy Shield, US intelligence agencies will be limited to processing EU citizens’ personal data for law enforcement and national security purposes only to the extent that such processing is “necessary and proportionate”.

EU citizens will also have increased rights of redress and the option to refer a dispute to a newly appointed Ombudsman.

What happens now?

At present, we continue with a state of uncertainty. The EU-US Privacy Shield has only been agreed in principle. It is still many months away from being finalised. In the meantime, we recommend that businesses should consider:

• Does personal data really need to be shared with the US entity?
• Can the data be anonymised? If so, the Data Protection Act will not apply. This can be difficult to achieve in practice without the data losing its usefulness;
• Whether model contract clauses are/should be put in place. These clauses have been approved by the EU as ensuring adequate protection.