The United States has traditionally taken a libertarian approach to data privacy: “what is not forbidden is permitted.” Outside sensitive sectors such as health (HIPAA) and finance (GLBA), the United States was historically content to let the market police itself. The European approach, perhaps reflecting the trauma of 20th century totalitarian surveillance, is different. E.U. nations have comprehensive data protection laws enforced by dedicated data protection authorities (DPAs). Thus, the EU permits data collection, but regulates it much more tightly than the United States, which is content with its piece-meal approach.
The United States and the EU reconciled these two divergent philosophies by a bilateral protocol known as Safe Harbor. Companies certified under Safe Harbor would be deemed to comply with EU data regulations as well. The arrangement worked well until 2015, when the European Court of Justice handed down the Schrems decision, holding that that Safe Harbor did not adequately safeguard personal data and therefore violated the EU’s Data Protection Directive.
Schrems left American and EU negotiators scrambling to develop an alternative framework. The negotiators agreed on a new framework dubbed “Privacy Shield” in February 2016. The European Commission approved Privacy Shield in July 2016. The Commission’s decision meant that American companies adhering to the Privacy Shield protocol complied with EU law requiring that data transfer be limited to countries with “adequate” data protection.
The “adequacy” determination immediately attracted critics who contended that Privacy Shield was not sufficiently robust to protect EU citizen data. The continued viability of the Privacy Shield regime has thus always been precarious. Three recent developments have highlighted this precariousness.
[Read More…]
Source: Lexology – Poyner Spruill LLPSaad Gul and Michael E. Slipsky