The EU-US Safe Harbour Agreement: What You Need to Know
The EU-US Safe Harbour Agreement was a framework designed to ensure that EU citizens` personal data was protected when it was transferred to the United States. The Agreement was first implemented in 2000 and allowed companies to self-certify that they met EU data protection standards and therefore allowed them to freely transfer data between Europe and the US.
However, in October 2015, the European Court of Justice (ECJ) declared that the Safe Harbour Agreement was invalid as it failed to provide adequate protection for EU citizens` data. The case was brought by Austrian privacy activist, Max Schrems, who argued that the transfer of his Facebook data from Europe to the US was unlawful and exposed him to surveillance by US intelligence agencies.
This decision had far-reaching implications for the thousands of companies that had relied on the Safe Harbour framework to transfer data between the EU and the US. As a result, the European Commission and the US government negotiated a new agreement, known as the EU-US Privacy Shield, which came into effect in July 2016.
The Privacy Shield is designed to address the ECJ`s concerns that US surveillance laws conflicted with EU data protection laws. It provides EU citizens with greater transparency and control over how their data is used by US companies and provides mechanisms for redress if their data is misused.
To benefit from the Privacy Shield, US companies must self-certify that they meet the Privacy Shield`s data protection standards and cooperate with EU data protection authorities. Failure to adhere to the Privacy Shield can result in fines and even exclusion from the EU market.
Despite its implementation, the Privacy Shield has faced criticism from privacy activists who argue that it does not go far enough to protect EU citizens` data. In July 2020, the European Court of Justice declared that the Privacy Shield was invalid as it did not provide adequate protection for EU citizens` data, once again leaving companies uncertain about how to transfer data between the EU and the US.
In conclusion, the EU-US Safe Harbour Agreement was a framework that aimed to ensure that EU citizens` data was protected when transferred to the United States. Its successor, the Privacy Shield, sought to address the concerns raised by the European Court of Justice but has been declared invalid as it did not provide adequate data protection. As such, companies must now rely on alternative mechanisms, such as Standard Contractual Clauses, to transfer data between the EU and the US, but even these are facing increased scrutiny.