Das neue EU-U.S. Privacy Shield Abkommen als Ersatz für das Safe Harbor-Programm

The new safe harbor for employee data?


The new EU-U.S. agreement Privacy Shield as a substitute for the Safe Harbor program

Companies in Germany or other countries of the European Union that transfer personal data to locations in the United States were faced with a major legal uncertainty in recent months.

Das neue EU-U.S. Privacy Shield Abkommen als Ersatz für das Safe Harbor-Programm

With the declaration of ineffectiveness of the Safe Harbor Agreement by the European Court of Justice (ECJ) in October 2015, the basis for data transfer to the U.S. which complies with data protection law and, above all, has great practical importance, has ceased to exist (Buse Heberer Fromm InsightSafe Harbor is invalid – what now?). Following negotiations that were hardly noticed by the public for a long time, the European Commission presented a legislative package on 02/29/2016 that has been agreed with the relevant U.S. government agencies: the EU-U.S. Privacy Shield.

Since the Safe Harbor decision by the ECJ, when transferring data to the United States, many companies have been using the EU Standard Contractual Clauses or Binding Corporate Rules, or the consent of the person concerned whose data is being transferred, as a legal basis. However, these legal frameworks prove to be inconvenient and associated with a high administrative burden in practice.

The EU-U.S. Privacy Shield is intended to remedy this: Similar to the situation before the Safe Harbor program, the Privacy Shield is based on a self-certification process under which American companies are required to comply with the EU-U.S. Privacy Shield principles under the U.S. Department of Commerce. In addition, the U.S. administration has submitted assertions under the Agreement which should guarantee an adequate level of data protection in the U.S. The main components of the EU-U.S. Privacy Shield can be summarized as follows:

  • Commitment by U.S. companies: Obligation to comply with the EU-U.S. Privacy Shield Privacy Principles and their publication in the Privacy Policy of the company.
  • Monitoring: Joint annual evaluation of the EU-U.S. Privacy Shield Agreement by the EU and the United States.
  • Access by the U.S. government: Guarantees against massive access to data by U.S. authorities.
  • Legal protection: Multi-level complaints and escalation procedures are intended to provide EU citizens with effective judicial protection.

What do companies need to do now?

The EU-U.S. Privacy Shield has been heavily criticized by many activists during the negotiation process. The European Commission has not yet come to an adequate decision. This would enter the new agreement into force. Against this background, companies should continue to base the transfer of personal data to the U.S. on the EU Standard Contractual Clauses or Binding Corporate Rules.
In the future, the transfer of personal data to third countries will be regulated in accordance with Art. 44 ff. of the EU General Data Protection Regulation. Hereinafter, such data transfer will only be possible if the EU Commission has issued an adequacy decision on the adequate level of protection of personal data in the third country. In the absence of such a decision (or if it is withdrawn or declared to be invalid by a competent court), the only way will, once again, be the EU Standard Contractual Clauses or Binding Corporate Rules.

Save as PDF

Tags: #Data Privacy, #Data Protection, #Datenschutz, #Safe Harbor Programm

Artikel versenden