The EU and the US have confirmed that, after two years of negotiations, they have agreed a “Privacy Shield Framework” which will in effect replace the Safe Harbor agreement with the US that the European Court of Justice struck down last October (2015).  The details of the new Privacy Shield were released on 29 February (2016).

No idea what we are talking about?  The Safe Harbor agreement enabled multi-national companies that traded in the EU to transfer  and process customer data to servers in the US and provide similar protections to EU directives on Data Protection of customer data in member states, such as the UK.  For all those companies agnostic about data flows on the web such as Apple and Google, and for ticketing system suppliers operating in Europe with server farms in the US, this was a serious problem.  The Safe Harbor agreement was struck down after the Edward Snowden revelations and subsequent US discussion confirmed that the US Government could over-ride Data Protection and access and process customer records of EU citizens without authorisation or any permission.

New ‘notification’ requirement if EU data processed in US

The fundamental changes the EU-US “Privacy Shield Framework” makes do introduce the right for EU citizens to take action in the US if there is a breach of their privacy, but lawyers are unclear how that satisfies the challenge of US Government access.  It also introduces the requirement to notify customers if say their data from an Internet Ticketing transaction will go to servers in the US.  And there is a fundamental requirement for a contract where an EU company is agreeing that its customer data will be transferred to and/or processed on servers in the US.  Read more here, with the full text available, on the US Department of Commerce website: https://www.commerce.gov/privacyshield

Useful blog on this from the helpful web developers TinCan: http://tincan.co.uk/blog/goodbye-safe-harbour-hello-privacy-shield

Roger Tomlinson

3 March 2016