Transferring data to the US? New agreement reached with the EU26 Feb 2016
You may recall that last year the EU–US Safe Harbour agreement was invalidated by the European Court of Justice (read more here), causing problems for thousands of companies that relied on the arrangement to transfer data to the US without breaching European data protection regulations.
If you were one of those companies, then additional burdens will have been imposed on your business in order to ensure that data was being transferred legally, requiring the introduction of standard contractual clauses or binding corporate rules, rather than relying on the “pre- approved” Safe Harbour regime. The good news is that there is some relief in sight, as the European Commission and the US have now reached a new replacement agreement for the transfer of data from the EU to the US.
What’s the update?
This new agreement, reassuringly called the “EU–US Privacy Shield” will place stronger obligations on US companies handling EU citizens’ personal data and more robust enforcement measures, as well as increased co-operation with European data protection authorities. Other features include limitations, safe guards and over sight mechanisms in relation to US Government agencies’ access to personal data. This addresses the concern around indiscriminate mass surveillance by the US, such as the NSA’s, which led to the case in which Safe Harbour was ultimately invalidated. There will also be new complaints and redress routes available to EU citizens and the EU Commissioner, and the US Department of Commerce will carry out an annual joint review.
What does this mean for my business?
These new measures will address the requirements of the European Court of Justice when it invalidated the previous arrangement and will remove some of the barriers for companies based in the EU when transferring data to the US, whilst giving peace of mind that the relevant protections will be in place. More details will be released over the coming months but in the meantime, companies making transfers of data to the US should continue to ensure that Binding Corporate Rules or standard contractual clauses are put in place, so as not to fall foul of Data Protection Regulations.
If you have any queries about Data Protection or would like us to review any contracts for compliance with the relevant regulations, please contact us or call 0161 832 3434.