Written by Shara Monteleone and Laura Puccio,
In the 2015 Schrems case, the Court of Justice of the European Union (CJEU) declared the European Commission’s 2000 decision on the ‘adequacy’ of the EU-US Safe Harbour regime invalid. This regime had formed the legal basis to allow transfers of data, for commercial purposes, from the EU to the United States of America (USA).
One of the main concepts on which the reasoning of the Court relied is that of ‘equivalence’ – between the level of protection existing in a third country, and the European data protection system. The Court invalidated the Commission’s Safe Harbour adequacy decision as it did not contain any findings regarding the existence in the USA of laws and practices limiting interference on the right to privacy and data protection (e.g. interference by public authorities for security purposes), nor of effective judicial remedies for individuals. According to the judgment, laws which establish exceptions (such as enacting measures for security purposes) which could lead to conflict with fundamental rights should lay down clear and precise rules regarding the scope and application of the measure, and minimum safeguards against the risk of abuse, including unlawful access and further use of such data. The corollary of this statement is that derogations and restrictions to data protection should be allowed only if strictly necessary. Moreover, whereas the self-certification mechanism for US-based companies could be part of an adequate data protection system, it should be accompanied by effective enforcement and oversight mechanisms.
As a consequence, the judgment ruled the Safe Harbour framework, on which a large number of companies had relied, insufficient to ensure the high level of protection for EU citizens required under EU law. This invalidation of Safe Harbour created legal uncertainty and the need for a new arrangement. In the meantime, more than 4 000 US companies making data transfers switched to other existing tools, albeit more burdensome and limited, such as Binding Corporate Rules or Standard Contractual Clauses.
In 2016, the European Commission and the USA adopted a new framework for transatlantic exchange of personal data, known as the Privacy Shield. Within a year, more than 3000 companies had subscribed to the new framework, and the US Federal Trade Commission had already triggered three cases of non-compliance with Privacy Shield. In September 2017, the first joint annual review of Privacy Shield took place. Although considered to be working well, a number of recommendations for further improvements were issued. Moreover, a range of concerns still remain to be addressed (not least in view of the recent Facebook / Cambridge Analytica scandal). The European Parliament adopted a resolution in July 2018, which, although acknowledging some improvements, reiterates a number of persistent concerns on Privacy Shield, and calls on the Commission to suspend the Shield.. Unless the concerns can be resolved satisfactorily, the underlying legal uncertainty may not disappear, and Privacy Shield is also likely to end up challenged before the CJEU, like its predecessor.
Read the complete in-depth analysis on “The Privacy Shield: Update on the state of play of the EU-US data transfer rules“.