Following the recent invalidation of the Safe Harbour scheme by the CJEU as a legitimate ground for the transfer of personal data from the EU to the US, yesterday the EU Commission approved a political agreement reached with the US paving the way for a new and more robust mechanism for such data flows.
The “EU-US Privacy Shield”, to be soon introduced, appears to be in line with the requirements set by the Schrems judgment and will comprise the following basic elements:
- Stronger obligations on US companies handling personal data received by the EU;
- Robust enforcement by the US authorities;
- Compliance of US companies with decisions of European data protection authorities regarding HR data;
- Narrower construction of US law enforcement and national security derogations (clear limitations, safeguards and oversight mechanisms); and
- Introduction of recourse possibilities of EU data subjects towards the US Department of Commerce and the Federal Trade Commission, free of charge alternative dispute resolution and creation of Ombudsperson.
Further to this political agreement, the Commission will draft a new adequacy decision in the coming weeks, while the US authorities will have to put in place the new framework respectively. The new scheme will enter into force upon adoption of such decision by the Commission, following consultation with the Working Party of Article 29 and a committee composed by representatives of the Member States.
Until all these happen, companies wishing to transfer data to the US are advised to rely on the current alternative transfer tools, more importantly on the execution of the standard contractual clauses and the adoption of sufficient BCRs.