In a thorough legal analysis of the EU-U.S. Privacy Shield framework, a report from Hogan Lovells says the framework would stand up in the Court of Justice of the European Union (CJEU), and that the true level of data protection afforded by the Privacy Shield framework will only be demonstrated by its functioning and the practices of its participants.
The report provides an objective view of the new framework concerning transatlantic dataflows and includes a rigorous assessment of the Privacy Shield based on European jurisprudence.
The Hogan Lovells analysis finds that the Privacy Shield Framework substantially meets the criteria for adequacy under Article 25(6) of the Data Protection Directive, as interpreted by the CJEU, and concludes that the framework provides an ‘essentially equivalent’ level of protection for personal data transferred from the EU to the U.S.
Eduardo Ustaran, London-based partner at Hogan Lovells, and lead author of the report, comments:
Overcoming the limitations of European data protection law to transfer personal data to countries outside the European Union, in particular the United States, has long been a compliance priority for organisations which operate internationally. The Privacy Shield is crucial in bridging the gap between European and American approaches to privacy and it is therefore essential that it can be relied upon with complete certainty.
Given the pressures to ensure that personal data transferred from the EU to the US is protected in accordance with European standards, the Privacy Shield will be subject to strict scrutiny by regulators and the courts as it becomes an established framework for compliance. Accordingly, assessing and determining the robustness and legal validity of the Privacy Shield is a business and political necessity.
Hogan Lovells’ report provides a detailed analysis of the adequacy of the Privacy Shield. It considers the historical background that preceded the adoption of the Privacy Shield as well as the precise legal criteria that the CJEU would likely use in the future to determine the validity of the new framework.
As we have reported previously, the EU-U.S. Privacy Shield is the result of a political agreement on a new framework for transatlantic exchange of personal data for commercial purposes, which was reached by the European Commission and the U.S. Department of Commerce on 2 February 2016. It will replace the original Safe Harbor framework, whose legal basis was invalidated by the CJEU, and aims to protect the fundamental rights of Europeans once their data is transferred to the United States and to ensure legal certainty for businesses.
A full copy of the report from Hogan Lovells can be found here.