Following the decision of the ECJ in Schrems v Irish Data Protection Commissioner reported back in October, transfers of personal data to the US made under the US “Safe Harbor” scheme were held to be technically unlawful.
The surprise decision placed urgency on the ongoing negotiations between the US and EU on a revised Safe Harbor framework – which have been rumbling on for the last two years. Agreement on Safe Harbor v2 - which is to be called the “Privacy Shield” - was reached at the beginning of February and the draft principles were published yesterday.
The Privacy Shield will, like the Safe Harbor, operate a self certification scheme overseen by the US Department of Commerce. The main changes are:
Many multinationals joined the Safe Harbor to legitimise transfers of HR data to their US based headquarters. Those organisations will need to take steps to either join the Privacy Shield or take other measures (such as model agreements or binding corporate rules) to legitimise their data transfers.
It is unlikely that this is the last we have heard from law student Max Schrems (who brought the original challenge) and so it is possible that the Privacy Shield will itself be tested before the ECJ before too long.