In October 2015, the European Court of Justice set aside the so-called Safe Habor scheme (C-362/14), meaning that it was no longer possible to transfer personal data from the EU to the US based on a US company's Safe Habor registration.
This gave rise to doubt as to how personal data could at all be transferred to the US, and the national data protection agencies in the various EU countries found that it was necessary to analyse and assess the importance of the EU ruling compared to any other options concerning transfer of personal data to the US, in particular the use of the Commission's standard agreements and the Binding Corporate Rules.
In this connection, the European data protection agencies (under the auspices of the so-called Article 29 group) stated that if no appropriate solution with the US authorities had been found by the end of January 2016, the European agencies would take any necessary and appropriate measures of enforcement - depending on the outcome of the continued analyses of the other means of transfer.
An appropriate solution with the US authorities was therefore expected by the end of January 2016, or that the European agencies would initiate enforcement measures vis-á-vis companies transferring personal data to the US if the relevant agencies did not consider the enforcement to be lawful (irrespective of whether the transfer was made in accordance with the Safe Habor scheme, the Commission's standard agreements or the Binding Corporate Rules).
NEW POLITICAL AGREEMENT BETWEEN THE COMMISSION AND THE US
On 2 February 2016, the Commission and the US agreed on a new scheme replacing the Safe Habor scheme.
The new scheme will contain the following:
- A guarantee that US public authorities' access to personal data will be restricted to cover only necessary personal data
- An independent supervisor and the possibility for individuals to complain about the US authorities' processing, for instance by way of an ombudsman
- Complaints about US companies' processing of personal data must be considered by the company itself, the data protection agency of the relevant EU country, the US FTC or - if the complaint is unsolved - by a new complaint body as a last resort
- It must be ensured that the agreement is binding on the US, which requires approval at the highest level in the US
The scheme is still only a political agreement, and the Commission therefore needs to prepare an actual proposal within the next weeks to be finally adopted after having been heard by the Article 29 group and a committee consisting of representatives from the EU member states.
The publication of the Privacy Shield has led to the Article 29 group's (and the individual countries' data protection agencies') postponement of the assessment of transfers to the US based on the Commission's standard agreements and the Binding Corporate Rules until the end of February 2016. Until then, transfers may be made with authority therein.
What will happen after February 2016 and the effect of the Privacy Shield still remain to be clarified, but we will continuously follow and inform you about the development.