Evaluating the EU-US Privacy Shield Framework: Adequate data transfer mechanisms and the future of the Framework
Research project
Investigator:
Nikolaos Theodorakis
Abstract:
The General Data Protection Regulation recognizes specific options for data transfers between the EU and the US. Since the European Commission does not consider the US a data “adequate” country because of its lack of comprehensive privacy legislation, different instruments need to be in place for a legitimate data transfer. Such instruments include Binding Corporate Rules, European Commission model clauses, certification mechanisms, codes of conduct, and other recognized adequacy mechanisms. One of them is the EU-US Privacy Shield Framework.
The EU-US Privacy Shield Framework was designed by the U.S. Department of Commerce and the European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce. The European Commission deeded the Framework adequate to enable data transfers under EU law in July 2016. To join the program, a US based organization needs to self-certify and publicly commit to comply with the Framework’s requirements.
The EU-US Privacy Shield is the successor framework of the Safe Harbor, which was developed between 1998-2000 and served as the main instrument through which companies transferred data from the EU to the US. It was invalidated in 2015 by the European Court of Justice for not offering adequate protection to EU citizens.
As of February 2017 the future of the EU-US Privacy Shield is also contested. Privacy groups have challenged its legitimacy on the ground that it does not offer the required transparency to EU citizens, that it does not offer a mechanism for individuals to lodge complaints, and that it potentially allows a wide use of EU personal data from US intelligence services. The case will be heard before the European Court of Justice that will decide on the validity of the EU-US Privacy Shield.
This research project will investigate whether the EU-US Privacy Shield offers adequate data protection according to EU law, whether it has facilitated trade over the past years between the EU and the US, and what are the consequences of its upcoming confirmation or invalidation by the European Court of Justice.