Companies in Germany or other countries of the European Union that transfer personal data to locations in the United States were faced with a major legal uncertainty in recent months.
With the declaration of ineffectiveness of the Safe Harbor Agreement by the European Court of Justice (ECJ) in October 2015, the basis for data transfer to the U.S. which complies with data protection law and, above all, has great practical importance, has ceased to exist (Buse Heberer Fromm InsightSafe Harbor is invalid – what now?). Following negotiations that were hardly noticed by the public for a long time, the European Commission presented a legislative package on 02/29/2016 that has been agreed with the relevant U.S. government agencies: the EU-U.S. Privacy Shield.
Since the Safe Harbor decision by the ECJ, when transferring data to the United States, many companies have been using the EU Standard Contractual Clauses or Binding Corporate Rules, or the consent of the person concerned whose data is being transferred, as a legal basis. However, these legal frameworks prove to be inconvenient and associated with a high administrative burden in practice.
The EU-U.S. Privacy Shield is intended to remedy this: Similar to the situation before the Safe Harbor program, the Privacy Shield is based on a self-certification process under which American companies are required to comply with the EU-U.S. Privacy Shield principles under the U.S. Department of Commerce. In addition, the U.S. administration has submitted assertions under the Agreement which should guarantee an adequate level of data protection in the U.S. The main components of the EU-U.S. Privacy Shield can be summarized as follows:
The EU-U.S. Privacy Shield has been heavily criticized by many activists during the negotiation process. The European Commission has not yet come to an adequate decision. This would enter the new agreement into force. Against this background, companies should continue to base the transfer of personal data to the U.S. on the EU Standard Contractual Clauses or Binding Corporate Rules.
In the future, the transfer of personal data to third countries will be regulated in accordance with Art. 44 ff. of the EU General Data Protection Regulation. Hereinafter, such data transfer will only be possible if the EU Commission has issued an adequacy decision on the adequate level of protection of personal data in the third country. In the absence of such a decision (or if it is withdrawn or declared to be invalid by a competent court), the only way will, once again, be the EU Standard Contractual Clauses or Binding Corporate Rules.
Den Kontakt zu Ihrem Ansprechpartner finden Sie auf: buse.de/anwaelte
Vielen Dank für Ihr Interesse an diesem Artikel.