European Union data protection law restricts the transfer of EU-origin personal data to countries outside the European Economic Area unless there is a mechanism in place to ensure an adequate level of protection of the personal data.

In 2000, the European Commission approved the EU-SU Safe Harbor Privacy Principles that allowed many U.S. companies to voluntarily opt into a program that, with a self-certification of certain privacy processes and principles, allowed the companies to receive EU-origin personal data in compliance with EU law. The Safe Harbor provided a relatively easy way to meet the “adequacy” requirements of the EU data protection authorities. Other mechanisms to enable data transfers to the U.S., including binding corporate rules and the use of signed standard contract clauses, impose a significant administrative burden on companies doing regular business in the EU.

In October 2015, the European Court of Justice abruptly invalidated the safe harbor framework based, in part, on the disclosure by Edward Snowden of previously undisclosed surveillance of electronic communications by U.S. intelligence agencies. This decision led to a mad scramble by U.S. companies to find another way to legally receive and process EU-origin personal data.

Nine months later in July 2016, EU member states approved a new framework (EU-US Privacy Shield), with stronger provisions to address the concerns that led to the invalidation of the previous Safe Harbor Principles. To date, over 3,000 US companies have self-certified their acceptance of the requirements of the Privacy Shield.

During the review and negotiations of the Privacy Shield, EU data protection authorities issued an opinion identifying three areas of concern:

• The Privacy Shield does not require organizations to delete personal data when it is no longer needed;
• The U.S. government does not “fully exclude the continued collection of (Read more...)