Author: Andrew McClelland
Following the European Courts of Justice raising concerns around the efficacy of Safe Harbor, the agreement between the European Union and US Federal authorities concerning protections around the transfer of personal data between the two areas and its protection, there has been unease amongst the business and consumer communities. Does the legal basis upon which personal data is handled and processed still hold true and are businesses now exposed to potential enforcement action by the data protection authorities?
Due to the sheer scale of transatlantic business now being conducted in this increasingly digital world, authorities have been burning the midnight oil seeking a solution that not only satisfies the legal requirements of the EU but also enables business to continue where much of a customer data is held in the ‘cloud’, which can mean servers in the US holding / processing an EU citizen’s data.
The crux of the problem is US federal legislation that allows US authorities to access these servers in certain circumstances; in contravention of the data protection principles of the EU regulations.
It was announced on Wednesday 3 February 2016 that the relevant bodies had reached agreement on a new EU-US “framework for transatlantic data flows” and the College of Commissioners have instructed the Commission to develop new rules to ensure the continued protection of consumers and give businesses certainty over the legal position.
The Commission’s press release can be viewed here.
However, some privacy campaigners and business groups have raised questions around how this might work as the US regulation allowing authorities to access the data still appears to be in place.
The Article 29 Working Party, a forum of the EU data protection authorities announced that they welcomed the announcement of the Privacy Shield and looked forward to seeing the detail of the agreement so that they could comment more fully on its efficacy.
The full Article 29 response can be seen via the link below. The release also includes four key points that give businesses some guidance on accepted data protection practice.
For more information - click here.