AIIM - The Global Community of Information Professionals

Guest Post - GDPR and Cross Border Data Flows between the EU and the US: Current State of the Law

Jul 14, 2017 9:14:00 AM by Andrew Pery

This is the fourth post in a series on privacy by Andrew Pery. You might also be interested in Privacy by Design: The Intersection of Law and Technology and What Do the GDPR and new Privacy Laws Mean for U.S. Companies? and Balancing Privacy Rights with Social Utility in the Age of the Internet of Things.


As a direct response to the Snowden revelations relating to the bulk collection of personal data by US intelligence the European Commission and the US Department of Commerce jointly developed a new framework purporting to considerably strengthen the protection of privacy rights of EU citizen data when such data is transferred to US data processors and controllers.  The previous regime under the Safe Harbor was invalidated by the European Court of Justice in Schrems v. Data Protection Authority which held that EU citizen’s privacy rights are at risk given the broad overreach by US public authorities.

Restoring certainly in trans-border data flows is of outmost priority for regulators on both sides of the Atlantic given that the transatlantic economies of the EU and the US are inextricably linked built on a digital backbone supporting virtually every facet of commerce.

The new Privacy Shield considerably strengthens the privacy rights of EU citizens relating to onward transfer of personal information.  Key provisions of the Privacy Shield require adherence to the core privacy principles of notice, choice, security, integrity, access, enforcement and accountability for onward transfer.

Perhaps the most important aspect of the Privacy Shield is more rigorous access, monitoring and enforcement mechanisms that were lacking in the Safe Harbor. According to the European Commission’s statement, “for the first time, the US has given the EU written assurance that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards, and oversight mechanisms and has ruled out indiscriminate mass surveillance of European citizens’ data.” By virtue of these strengthened enforcement mechanisms, EU citizens will be able to:

Seek redress for alleged privacy rights against companies who are obliged to resolve such complaints within 45 days;

  • Access to an Independent Dispute Resolution at no cost;
  • Work through EU Data Protection Authorities who are empowered to work with the US Federal Trade Commission (FTC) to ensure that EU citizen complaints are addressed and remedied; and
  • Opt for arbitration should their complaints be not resolved through the independent Dispute Resolution mechanism

Perhaps one of most sensitive matters that the EU-US Privacy Shield is designed to remedy is the overreach by the US government in its bulk data collection practices: “the U.S. government has given the EU written assurance from the Office of the Director of National Intelligence that any access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms, preventing generalised access to personal data.” Finally, to empower EU citizens to seek judicial standing, President Obama signed into law the Judicial Redress Act, which provides EU citizens the same protections under the Privacy Act as are available to US citizens.

However the fate of the Privacy Shield remains uncertain. The policy implications of the new US Administration are of concern to EU regulators.   The Privacy Shield framework is pending review by the Article 29 Working Party (WP29).  There are a number of submissions under consideration, including pending assurances from the new Administration as to their continued commitment to a more robust protection of EU citizen privacy rights.  This includes adherence to the provisions of the GDPR when it becomes enforceable in 2018. 

In the meantime, US entities that are transferring EU citizens personal information may do so by incorporating Binding Corporate Rules (BCR) or Model Corporate Clauses both of which require adherence to safeguarding EU privacy rights for onward transfer of EU citizen data.

The state of the cross border data flows remains unsettled although encouraging signs point to ratification.

About the author:  Andrew Pery is a marketing executive with over 25 years of experience in the high technology sector focusing on content management and business process automation.  Currenly Andrew is CMO of Top Image Systems.  Andrew holds a Masters of Law degree with Distinction from Northwestern University is a Certified Information Privacy Professional (CIPP/C) and a Certified Information Professional (CIP/AIIM).

GDPR After the Deadline


Topics: privacy, security, information security, gdpr

Like what you see? Subscribe to get updates delivered straight to your inbox.

Back to Blog

About AIIM

AIIM provides market research, expert advice, and skills development to an empowered community of leaders committed to information-driven innovation.

Click to download 14 Steps to a Successful ECM Implementation

Subscribe to Email Updates

Recent Posts