Privacy Shield succeeds Safe Harbor

18 Jul 2016

In our 13 October 2015 newsflash , we informed you that in a decision of 6 October 2015 in the Schrems case the European Court of Justice had declared the “Safe Harbor” framework invalid. Before, this framework ensured that the massive data traffic from Europe to the United States was considered to be safe if an American data recipient had joined it.

On 12 July 2016, the European Commission adopted the successor of the Safe Harbor gateway, the so-called “Privacy Shield”.

The Privacy Shield aims to facilitate again the transatlantic data flows from Europe to the United States for companies who sign up to the Privacy Shield.

According to the European and Belgian legislation on the processing of personal data (including data of employees) the transfer of personal data to a country outside Europe is forbidden, unless it guarantees an adequate level of protection. 

The Privacy Shield is a so-called “adequacy decision” which has been negotiated between the European Commission and the United States and which establishes a number of conditions for the transfer of personal data to American recipients.

The Privacy Shield is based on a system of self-certification. American companies can register themselves, by which they certify their adherence to the rules contained in the Privacy Shield. On that basis, it is then permitted to transfer personal data to these companies.   

Although the Privacy Shield enters into force immediately, the US Department of Commerce announced that it will accept certifications only as from 1 August 2016. The Privacy Shield will be evaluated annually by both the European Union and the United States, in order to verify if the agreements made under the Privacy Shield are being effectively respected.

The Privacy Shield has been severely criticised, even during its preparation. Although recently modifications have been made to the original draft, it cannot excluded that the Privacy Shield – just like the Safe Harbor framework – will be challenged before the European Court of Justice as well.  

> Action point: be careful when transferring personal data to third countries such as the United States

Keep in mind that personal data can only be transferred to a non-European recipient on condition that the necessary security measures have been taken. Henceforth, an American recipient will have the possibility to sign up to the Privacy Shield.