The Transfer of EU Personal Data to Third Countries: From the «Safe Harbour» to the «Privacy Shield»
Are you already subscribed?
Login to check
whether this content is already included on your personal or institutional subscription.
Abstract
As the US system as a whole is not deemed to offer an adequate protection of personal data (given, in particular, the absence of a set of protections applying horizontally to all sectors and of an independent data protection authority entrusted with the supervision of compliance with such overarching legislation) companies engaging in transatlantic flows of personal data have to base their transfers on one of the alternative instruments foreseen under EU law. To facilitate transfers of data across the Atlantic, a specific regime was introduced in 2000: the Safe Harbour. This regime consisted in a self-certification mechanism by which thousands of US companies submitted themselves to additional obligations compared to those applicable under US law and could therefore be considered as offering an adequate level of protection. Following revelations on US mass surveillance programs, the legality of the Safe Harbour, and in particular its compatibility with the EU charter of Fundamental Rights (Articles 7 and 8), was challenged before the ECJ. In its Schrems judgment of 6 October 2015, the Court of Justice found the Safe Harbour invalid. The present article seeks to analyze this ruling, assess it implications on alternative tools for transfers available under EU law (standard contractual clause, binding corporate rules) as well as address prospects for a successor arrangement on transatlantic data flows (Privacy Shield).
Keywords
- EU Personal Data
- USA
- Schrems
- Safe Harbour
- Privacy Shield