Safe Harbor 2.0 – Transferring Personal Information to the US
Last week, the European Commission and their US counterparts reached political agreement on Safe Harbor 2.0, or to give it its official name – the EU-US Privacy Shield.
The agreement follows the European Court of Justice ruling last October that Safe Harbor 1.0, which allowed EU organisations to transfer data to certain certified US companies, was invalid.
While the exact details of the EU-US Privacy Shield are still to be released, information to hand suggests that the new rules will be tougher than Safe Harbor 1.0, but perhaps not as strict as privacy campaigners had hoped. So far, we know that the following elements will be included:
- Stricter obligations on US companies: US companies that want to receive and process personal data from the EU will need to give commitments that data they receive will be processed fairly and in accordance with individual rights. These commitments will need to be published and will be enforceable by the US Federal Trade Commission.
- Employee Data: In addition to the general commitments to process data fairly, US companies that receive human resource data from the EU are required to commit to comply with decisions of European Data Protection Authorities (such as the UK Information Commissioner’s Office).
- Limits on US government access: The US have agreed to put in place limitations and safeguards to ensure that US government access to personal data of European citizens is necessary and proportionate, effectively confirming that the US government will not carry out indiscriminate mass surveillance of individuals in Europe.
- Individual rights: Individuals will have more redress possibilities against US companies regarding misuse of personal data, and US companies will be required to address complaints within clear timeframes. Complaints about processing by US companies made in the EU can also be referred to the US Department of Commerce and the Federal Trade Commission
Until the EU-US Privacy Shield has been formally approved, employers should continue to be cautious about transferring personal data to the US. Current data protection laws provide a number of options to permit international data transfers, such as consent from individuals or the use of the Standard Contractual Clauses, which can be relied on in the meantime.
Further guidance for employers about transferring data overseas can be found in the Employment Law Alliance’s recent guide on “Employee Data Privacy in Europe”. Burness Paull’s employment and data protection teams contributed to the UK section of this publication, which is available here.
4th June 2021
The European Commission has published the final version of the new Standard Contractual Clauses.
23rd March 2021
The key feature of the new legislation is that it seeks to introduce a “duty of care” for companies.
22nd February 2021
The European Commission has published two draft “data adequacy” decisions in favour of the UK.