The Privacy Shield—timeline
The Privacy Shield—timeline

The following Information Law practice note provides comprehensive and up to date legal information covering:

  • The Privacy Shield—timeline
  • Invalidation of the Privacy Shield—Schrems II
  • Challenges to the Privacy Shield
  • Development and review of the Privacy Shield
  • Invalidation of Safe Harbor—Schrems I

Article 44 of the EU’s General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR) prohibits the transfer of personal data to a third country outside of the EEA, or an ‘international organisation’ (an international transfer). However, in certain circumstances, an international transfer of personal data may be permitted where the transfer is:

  1. based on an adequacy decision

  2. subject to appropriate safeguards

  3. in accordance with specific exceptions/derogations

Under Article 45 of the EU GDPR, the European Commission, has the power to determine whether a country outside of the EEA offers an adequate level of data protection, based on its domestic legislation or the international commitments it has entered into.

The US is not recognised as an ‘adequate’ territory under EU law. However, as a result of the large volume of data transfers carried out on a daily basis between the EEA and the United States, a mechanism to allow 'adequate' transfers of data from the EEA to the US was felt necessary. The Commission issued a Decision in 2000 under Directive 95/46/EC (the Data Protection Directive), stating that the so-called Safe Harbor Privacy Principles provided adequate protection for personal data transferred from the EEA. An EEA controller was lawfully allowed to transfer data to a Safe Harbor registered organisation.

On 6 October 2015, following a reference to the Court of Justice of the European Union (Court of Justice)

Popular documents