From Safe Harbour to Privacy Shield: Advances and shortcomings of the new EU-US data transfer rules

19-01-2017

The CJEU’s Schrems judgment of October 2015, besides declaring the European Commission’s Decision on the EU-US ‘Safe Harbour’ data transfer regime invalid, has also settled a number of crucial requirements corresponding to the foundations of EU data protection. In the assessment of the Privacy Shield, the new framework for EU-US data transfer, these need to be taken into account. In less than one year since the CJEU ruling, the Commission has adopted a new adequacy decision, in which the Privacy Shield regime is deemed to adequately protect EU citizens. The main improvements of the Privacy Shield (over its predecessor), as well as the critical reactions to the new arrangements, are discussed in this analysis, taking into account, however, that an annual review is expected to take place by summer 2017, which will also take into account the coming into effect of the EU General Data Protection Regulation in 2018.

The CJEU’s Schrems judgment of October 2015, besides declaring the European Commission’s Decision on the EU-US ‘Safe Harbour’ data transfer regime invalid, has also settled a number of crucial requirements corresponding to the foundations of EU data protection. In the assessment of the Privacy Shield, the new framework for EU-US data transfer, these need to be taken into account. In less than one year since the CJEU ruling, the Commission has adopted a new adequacy decision, in which the Privacy Shield regime is deemed to adequately protect EU citizens. The main improvements of the Privacy Shield (over its predecessor), as well as the critical reactions to the new arrangements, are discussed in this analysis, taking into account, however, that an annual review is expected to take place by summer 2017, which will also take into account the coming into effect of the EU General Data Protection Regulation in 2018.