For decades, overcoming the limitations of European data protection law to transfer personal data to countries outside the European Union has been a compliance priority for organisations operating internationally. Global data flows are part of the fabric of modern communications and everyday commercial and social interactions. This is especially true of the transatlantic relations between the European Union and the United States. However, countries such as the US that approach the regulation of personal data privacy from a different perspective than countries in Europe face a tough challenge when trying to demonstrate an adequate level of protection according to the European standard.
In order to bridge the different legal approaches and considering the large volume of data transfers carried out between the EU and the United States, the US Department of Commerce (DoC) and the European Commission developed the Safe Harbor mechanism as a self-regulatory framework that would allow organisations to satisfy the requirements of EU data protection law in respect of transatlantic data transfers. In 2000, following extensive negotiations, the Commission issued a decision stating that the Safe Harbor Privacy Principles provided adequate protection for personal data transferred from the EU. This decision enabled EU personal data to be transferred to US-based companies that agreed to abide by the Safe Harbor Privacy Principles.
However, since its adoption, the Safe Harbor framework was fraught with challenges. Although the data protection requirements set out in the Safe Harbor Privacy Principles were meant to match the adequacy standards of the EU Data Protection Directive, its self-certification nature and the non-European style of its provisions attracted much criticism over the years. Perceived weaknesses included that participants did not perform required annual compliance checks and the lack of active enforcement by the Federal Trade Commission compared to other domestic cases. These factors led some EU data protection authorities to question the validity of the Safe Harbor framework as an adequacy mechanism.
The Schrems decision
In 2014, the validity of Safe Harbor was fatally questioned by Austrian law student Maximillian Schrems, who lodged a complaint with the Irish Data Protection Commissioner requesting the termination of any transfers of personal data by Facebook Ireland to the United States. Mr Schrems claimed that Facebook Ireland – the data controller for Facebook’s European users’ data – could no longer rely on the Safe Harbor framework to legitimise the transfers of his data to the US because of the wide access that US intelligence agencies had to such data as revealed by Snowden.
The complaint was then escalated to the Irish High Court, which in turn referred the matter for decision by the Court of Justice of the European Union (“CJEU”) the highest judicial authority on the interpretation of EU law. On 6 October 2015, the CJEU issued its judgment and declared the Safe Harbor adequacy decision invalid. This ruling increased the pressure on the European Commission to agree a more robust alternative mechanism for transfers of data from the EU to the US.
Read the whole article http://www.infolaw.co.uk/newsletter/2016/05/is-the-privacy-shield-adequate/
Source:Internet Newsletter for Lawyers