23 March 2018
The EU and US have agreed a new arrangement, labelled the 'Privacy Shield', to enable the transfer of data between both regions. The new agreement replaces the 'Safe Harbour' deal, which was struck down by the European Court of Justice in October 2015.
The Safe Harbour replacement was widely anticipated and EU privacy regulators had set an unofficial 31 January for a new EU-US agreement, so the timing of the Privacy Shield announcement is not a huge surprise. While there may be some grumbles from some EU national regulators, and I can see possible legal challenges from European privacy activists, I think the new arrangement will generally welcomed by most businesses and organisations as a pragmatic solution.
It will be interesting to see what the details of the new scheme are – for example will any allowance be made for old Safe Harbour registrations to be grandfathered into the new scheme, or will businesses need to start over again?
I expect that the detailed arrangements which include a new regulatory framework, monitoring mechanisms and new Ombudsman for dealing with complaints from EU citizens will take a number of weeks to be formally adopted and implemented.
In the meantime, a number of organisations we deal with have already been busy putting in place alternative arrangements (such as 'Model Clauses') in the wake of the original Safe Harbour invalidity decision last year and these efforts should continue until the new scheme comes into force.