Safe Harbor allowed US companies to self-certify a commitment to protect personal data in accordance with standards which were accepted to meet European requirements. The European Commission's 'Safe Harbor Decision' confirmed that transfers to such companies were deemed 'adequately protected'. Over 4000 US companies have signed up to the regime.
The decision in Maximillian Schrems v Data Protection Commissioner invalidated the Safe Harbor Decision with immediate effect. From 6 October 2015, the Safe Harbor regime therefore ceased to provide a valid legal basis for EEA-US transfers of all types of personal data.
On Tuesday 2 February, less than 24 hours after a tentative update to the European Parliament's LIBE committee, the European Commission announced that a political agreement had been reached on the replacement for Safe Harbor.
The Article 29 Working Party responded to the Commission proposal, titled the "EU-US Privacy Shield", in a live press conference on Wednesday 3 February. In this conference, Working Party Chair Isabelle Falque-Pierrotin confirmed that regulators would continue to permit transfers to the US based on Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs) but warned that transfers still reliant on Safe Harbor were now illegal. Bird & Bird's Privacy & Data Protection team has produced a number of news alerts covering the key aspects of the Safe Harbor decision and the proposed "EU-US Privacy Shield". These can be accessed via the following links:
On Wednesday 13 July, we hosted a fourth global webinar in response to the Article 31 Committee vote to approve the revised EU-U.S Privacy Shield. We also considered the potential consequences of "Brexit" on your privacy programme.
EU-US Privacy Shield: Fourth Global Webinar >