The Transfer of EU Personal Data to Third Countries: From the «Safe Harbour» to the «Privacy Shield». As the US system as a whole is not deemed to offer an adequate protection of personal data (given, in particular, the absence of a set of protections applying horizontally to all sectors and of an independent data protection authority entrusted with the supervision of compliance with such overarching legislation) companies engaging in transatlantic flows of personal data have to base their transfers on one of the alternative instruments foreseen under EU law. To facilitate transfers of data across the Atlantic, a specific regime was introduced in 2000: the Safe Harbour. This regime consisted in a self-certification mechanism by which thousands of US companies submitted themselves to additional obligations compared to those applicable under US law and could therefore be considered as offering an adequate level of protection. Following revelations on US mass surveillance programs, the legality of the Safe Harbour, and in particular its compatibility with the EU charter of Fundamental Rights (Articles 7 and 8), was challenged before the ECJ. In its Schrems judgment of 6 October 2015, the Court of Justice found the Safe Harbour invalid. The present article seeks to analyze this ruling, assess it implications on alternative tools for transfers available under EU law (standard contractual clause, binding corporate rules) as well as address prospects for a successor arrangement on transatlantic data flows (Privacy Shield)
Crespi, S. (2016). Il trasferimento dei dati personali UE in Stati terzi: dall’Approdo sicuro allo Scudo UE/USA per la privacy. DIRITTO PUBBLICO COMPARATO ED EUROPEO(3), 687-714.
Il trasferimento dei dati personali UE in Stati terzi: dall’Approdo sicuro allo Scudo UE/USA per la privacy
CRESPI, SERENA
Primo
2016
Abstract
The Transfer of EU Personal Data to Third Countries: From the «Safe Harbour» to the «Privacy Shield». As the US system as a whole is not deemed to offer an adequate protection of personal data (given, in particular, the absence of a set of protections applying horizontally to all sectors and of an independent data protection authority entrusted with the supervision of compliance with such overarching legislation) companies engaging in transatlantic flows of personal data have to base their transfers on one of the alternative instruments foreseen under EU law. To facilitate transfers of data across the Atlantic, a specific regime was introduced in 2000: the Safe Harbour. This regime consisted in a self-certification mechanism by which thousands of US companies submitted themselves to additional obligations compared to those applicable under US law and could therefore be considered as offering an adequate level of protection. Following revelations on US mass surveillance programs, the legality of the Safe Harbour, and in particular its compatibility with the EU charter of Fundamental Rights (Articles 7 and 8), was challenged before the ECJ. In its Schrems judgment of 6 October 2015, the Court of Justice found the Safe Harbour invalid. The present article seeks to analyze this ruling, assess it implications on alternative tools for transfers available under EU law (standard contractual clause, binding corporate rules) as well as address prospects for a successor arrangement on transatlantic data flows (Privacy Shield)I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.