Menú

All

Safe Harbour and Privacy Shield

Goodbye Safe Harbour and Privacy Shield

In data protection these denominations are those given to the decisions of adequacy with the US. First with Safe Harbour and then with Privacy Shield, after the cancellation of the former, international transfers were allowed without authorization. From July 2020, with the Schrems II ruling, Privacy Shield is annulled.

Goodbye Safe Harbour and Privacy Shield. Indeed, with the decisions of the European Court of Justice Schrems I and II, both Safe Harbour and Privacy Shield have said goodbye. The consequences of these cancellations must be observed when transferring data internationally. 

Contacto No te quedes con la duda, contacta con nosotros. Estaremos encantados de atenderte y ofrecerte soluciones.

 What was “Safe Harbour”?

Safe Habour was the name given to the Decision 2000/520/EC that regulated data transfers with the USA. In this way, the transfer of data between companies in the European Union and the USA did not require the authorization of the control authorities. All US companies that complied with the principles of the Commission’s decision would be safe harbor. This was the first decision on the adequacy of the European Union with the US. These decisions state that the level of data protection in a third country is adequate. In other words, their data protection standards are adequate in relation to those established by the GDPR. 

This decision, however, was overruled by the ECJ in the Schrems I ruling of 2015. This was because the US system did not really provide the minimum guarantees. It did not really provide enforceable rights or effective legal remedies. Because in the US, its security authorities were allowed to access all data transferred. And there was no recourse to any judicial body to claim this intervention. Because of these shortcomings, Privacy Shield is invalidated and enacted in 2016. 

 

What was Privacy Shield?

Privacy Shield refers to the second adequacy decision of the European Commission on transfers to the USA. The 2016/1250 implementation decision is made after the US decides to make changes to its data protection. The most prominent aspect was to establish an ombudsman in this area. It also limited access to data from its security agencies. As a result, international data transfers were again allowed without the authorization of a supervisory authority. 

However, with the Schrems II ruling of July 2020, Privacy Shield has been invalidated. Because with it the European supervisory authorities were given the power to review these transfers only in exceptional cases. It was therefore an exception for the supervisory authority to be able to verify whether the appropriate level of protection was in fact provided. This did not correspond with the provisions of the GDPR. Because the supervisory authorities with their inspection powers should be have been able to restrict this data flow in any case. As long as there were no adequate guarantees of protection. It was also understood that the new guarantees provided by the USA were insufficient, since an effective legal action system was still missing. Also, although its agencies were more limited, such as the NSA, they continued to access data from the Europeans. 

Consequences

There is currently no adequacy decision in effect with the United States. To allow international data transfers with the United States, some mechanism of Article 46 of the RGPD must be used. That article establishes alternative mechanisms for cases of non-existence of adequacy. However, the provisions of these judgments on standard contractual clauses must also be taken into account. These clauses were the most commonly used to allow transfers in the event of a lack of decision on adequacy. However, now transfers made by these standardized clauses can be prohibited or suspended. Because it can happen that the regulations of the third country do not allow their effective exercise. As is the case with the interruptions of foreign authorities in the United States in terms of monitoring. 

Now every company willing to transfer data with the USA must be aware of these resolutions and adopt some method of Art. 46 GDPR. This method can be checked by the control authority of the Member State.  If one of these methods is not used, the express authorization of the control authority will be required. Otherwise, currently, all data transfers between the European Union and the USA would be stopped. 

Conclusions

In less than 5 years two adequacy decisions with the US have been invalidated. This demonstrates how the US system does not meet the minimum guarantees required by the GDPR. There is no effective judicial or administrative system to fall back on. Not all ARCO rights are guaranteed to the same extent as in Europe. However, when Safe Harbour was invalidated it took less than a year to create Privacy Shield. So maybe  next year we will have the third adequacy decision with the US. For now, we will have to stick to the other mechanisms of art. 46 GDPR. 

If this article has been of interest, we also suggest you to read the following article published on our website: 

Data Protection Dictionary 

Publicaciones relacionadas