Has the ship sailed ?

In October 2015 the European Court of Justice ruled that the “safe harbour” agreement signed by the European Union and the United States which secured the protection of European citizens’ data when transferred to the US is no longer valid. The “safe harbour” agreement generally protected the EU citizens from transfer of their data by American companies to US data centres.

As a result, the only way now to transfer personal data from the EU to the US by using in agreements authorizing such transfers the “model contract clauses” provided by the EU Data Protection Directive (95/46/EC). Nevertheless, the Directive enables the Member States to determine the conditions under which the processing of personal data is lawful.

Generally, the Directive defines as processing of personal data any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

In Cyprus, the Processing of Personal Data (Protection of the Individual) Law of 2001 which implements the EU Directive, lays down the following key provisions:

  • Processing of personal data is only allowed if the individual (“data subject”) concerned has given his prior consent.

  • The data importer shall notify the Cyprus Commissioner that he intends to process personal data in any of the ways described above. Nevertheless, the importer does not have to notify the Cyprus Commissioner if the processing of personal data services are in the course of the business relationship of the data importer and the data subject concerned and is required in order to satisfy a legal obligation of the latter and the data subject has given his consent; or the processing of personal data concerns clients of the data importer and the personal data is not provided to third parties.

  • The transfer of any personal data to another country before or after processing requires the prior consent of the Commissioner.

Our Firm has advised a number of local and international clients on how to safeguard their interests and the interests of their clients in light of the latest reforms.

However it seems that the “ship has not sailed” yet, since in February the European Commission and the United States proposed a new “EU-US Privacy Shield” included inter alia written assurances from the US government that the access of US public authorities for law enforcement and national security will be subject to clear safeguards and transparency obligations, useful reference is here.

In July, the European Commission officially adopted the EU-US Privacy shield which is based on the following principles:

  1. The US Department of Commence will conduct regular checks of participating companies, in order to ensure that they comply with the Data Protection rules and in case they do not comply, they will face sanctions.

  2. As mentioned above, the US government has given the EU assurance that the access of public authorities for law enforcement and national security is subject to clear limitations and oversight mechanisms. To that end, should any personal data be misused, the US has established a redress possibility in the area of national intelligence for the Europeans.

  3. Furthermore, the EU-US Privacy Shield offers accessible and affordable dispute resolution mechanisms, to any citizen who considers that their data has been misused.

  4. The European Commission and the US Department of Commerce will annually review the functioning of the EU-US Privacy Shield and issue a public report to the European Parliament and the Council.

Each US Company controlling and processing personal data of the European citizens is obliged to certify with the US Department of Commerce from August 1.