Privacy Shield â new Safe Harbour agreement reached

UPDATE: On February 2 the European Union reached agreement with the US on a new framework for transatlantic data flows following a small delay

Vice President for the Digital Single Market on the European Commission Andrus Ansip said: "Our people can be sure that their personal data is fully protected. Our businesses, especially the smallest ones, have the legal certainty they need to develop their activities across the Atlantic.

"Today's decision helps us build a Digital Single Market in the EU, a trusted and dynamic online environment; it further strengthens our close partnership with the US," he said

European commissioner for justice, consumers and gender equality Vera Jourová said: "The new EU-US Privacy Shield will protect the fundamental rights of Europeans when their personal data is transferred to U.S. companies.2

The new name for the agreement is 'EU-US Privacy Shield' rather than 'Safe Harbour' 1.1 or 2.0.

This is presumably designed to indicate that this a fresh agreement rather than a updated version of Safe Harbour, which ran into difficulty, struck down in the Schrems case

Schrems case

The European Court of Justice struck down the previous Safe Harbour agreement in October 2015 following a case brought by Max Schrems. Schrems said the 'Safe Harbour', extended to some 3,000 US tech firms that permitted those firms to move data to the US from the EU offered no protection to EU citizens in light of the revelations made by Edward Snowden.

This forced the European Commission to negotiate a revised agreement with the US.

Reaction of the European national data protection authorities

The European national data protection authorities finished a regular two day meeting on February 3, and this topic was top of the agenda. The conclusions of the meeting were as follows:

1. Model Contract Clauses and Binding Corporate Rules can be used for the moment to transfer personal data to the US
2. The national data protection authorities will review the new EU-US Privacy Shield, Model Contract Clauses and Binding Corporate Rules at the same time to see whether the three transfer mechanisms meet the requirements of European law, specifically with regard to intelligence activities
3. The assessment for all personal data transfers to the US will be done at a special meeting to be organised in the coming weeks.

What should members do now?

The new Privacy Shield agreement will take around three months to finalise so members who transfer personal information to the US and have relied on Safe Harbour should have already reviewed the transfer and be thinking about using Model Contract clauses instead.

The ICO has advised UK companies not to panic and this advice still holds.

Members using the goods and services of US tech companies may well have been asked to sign Model Contract Clauses by those US-based companies already.

Members should certainly consider putting in place alternative arrangements because of a legal challenge to the new Privacy Shield Agreement

Will there be a legal challenge to the new Privacy Shield agreement?

Max Schrems indicated that following the press conference on February 2 that: "Judging from the mere headlines we know so far, I am however not sure if this system ( Privacy Shield) will stand the test (set out in the Schrems judgement) before the European Court of Justice. There will be clearly people that will challenge this- depending on the final text I may well be one of them”

The DMA will keep members advised of further developments.

Remember: our annual data protection summit takes place February 26, featuring keynotes from the ICO’s Chris Graham, the DCMS’ Baroness Neville-Rolfe and Facebook. Find out more here.