Up to October 2015, international businesses were legally allowed to export data about EU citizens for storage and processing in the USA under a scheme called Safe Harbor.
Businesses (on both sides of the Atlantic) liked Safe Harbor because it was a “self-certification” method. In essence it allowed businesses to promise that, once exported to the USA, the data of EU citizens would be covered by business practices and US laws that ensured a level of protection “essentially equivalent” to that provided by EU law.
The result of the Schrems case in October 2015 was that the European Court of Justice of European Union (CJEU) declared Safe Harbor invalid. [ SEE: The CJEU press release, 6 October 2015 ]
Safe Harbor sank. Not because international business didn’t want to keep its promises. But because US security agencies such as the NSA reserve the right to access any quantity of data within its territory, regardless of nationality of the ‘data subject’, whenever it wants and without prior notice.
In short: the NSA’s policy means that international businesses are not able to keep their promises.
In the absence of Safe Harbor, there are two alternative methods by which international businesses can legally export data for storage and processing outside the EU. One is “Standard Contract Clauses”; and the other is “Binding Contractual Agreements”. In comparison to self-certification, both are nightmares of detail and administration that can soak up huge amounts of time and money.
This why the European Commission and the US government have been working hard at drafting a new “self-certification” agreement. The first draft of the “Privacy Shield” was completed 29 February 2016.
The European Commission sent the draft text for review and comment to the Data Protection Authorities (DPAs) who are professionally charged with seeing that both the spirit and letter of EU Data Privacy law is enacted in practice.
On Wednesday 13 April, that group of EU Data Privacy professionals – the “Article 29 Working Party – delivered their opinion on the draft text of Privacy Shield.