Personal data can only be exported out of the European Economic Area if it is to a destination that provides adequate protection or there is some other mechanism such as a data subject’s informed consent. There are some means to enable data export, such as on model contractual clauses approved by the European Commission. To enable easy flows of data between entities in the EU and the US, the US had adopted the Safe Harbor scheme in 2000. However, that basis was struck down in a European Court of Justice judgment last year (the Schrems case). This was due to concerns over the adequacy of protection in the US, and in particular disclosure for wide data surveillance means.
There will be redress mechanisms for EU citizens such as timely direct resolution by the participant entity, free of charge alternative dispute resolution, a data protection authority taking the matter forward and a privacy shield arbitration panel. In addition, there will be an ombudsman to address national security related complaints. The ombudsman will be independent from the US intelligence agencies.
The European Commission has heralded the Privacy Shield launch, and rightly so. It has been welcomed by many businesses. However, some people have raised criticisms and have called it a sham. It is possible that it may yet be open to challenge Another fly in the ointment, and what this means for UK businesses, is the UK’s prospective departure from the EU. However, if the UK is to remain part of the EEA, Privacy Shield is likely to remain very relevant.