Written by David Marchese
In February we commented on the agreement reached between the EU and US authorities on a new framework for transatlantic data flows, called the “EU-US Privacy Shield”. This would allow the transfer of personal data from EU countries to the USA, where other legal justifications for this are not available.
The background, to recap, is that it is illegal to transfer personal data from EU countries to countries which do not have an equivalent level of legal protection, the USA being one of them. The previous scheme which purported to permit this, the “Safe Harbor”, was held invalid by the European Court in 2015, following the disclosures by Edward Snowden of mass surveillance of personal data by the US authorities.
What has happened since February is that, in response to concerns expressed regarding the Privacy Shield agreement, further modifications to the new arrangements have been made, and further assurances have been given by the US authorities, which enabled the EU Commission to make a decision as to the adequacy of the new arrangements.
The Privacy Shield arrangements involve new legal rights for EU citizens under the Judicial Redress Act, with the appointment of an Ombudsman (a new concept for the USA) and arbitration provisions. US companies will be able to self-certify from 1st August, and will have nine months to adjust their contracts.
It is possible that legal attacks will be made against the new scheme, and it may take time for US companies to make use of it, so entities in the EU should consider their position. The authorities in Germany have been fining companies for non-compliance, although the UK’s Information Commissioner’s Office has taken a more laid back approach.
The UK is, of course, still a member of the EU, notwithstanding the Brexit vote, but UK businesses will not be able to use the Privacy Shield after we exit the EU. Where we will be on this issue in just over two years’ time is anyone’s guess at the moment.
Contact the Author
I graduated from Oxford University before qualifying as a solicitor at Herbert Smith. I went on to work at Richards Butler and then Davenport Lyons, before joining Gordon Dadds in 2014. I have extensive experience advising on the law of intellectual property, information technology and commercial contracts. I am the author of Business Licensing Agreements (Longman, 1995), the section on Supply of Goods and Services in Practical Commercial Precedents (Sweet & Maxwell) and several published articles including Joint Ownership of Intellectual Property (EIPR, 1999) and Warranties and Covenants in IP Licences (OUP, 2009).