In the first newsletter of the year we brought you the news that the Safe Harbour agreement, which had enabled those businesses that had adhered to it to process personal data from European companies, was considered unsafe after an important court judgement had rejected it due to it was not offering ‘equivalent’ protection.
We can now tell you that nothing has changed, or that nothing will change, because at the moment it is not advisable to perform data transfers to the US using providers without authorization from the AEPD (Agencia Española de Protección de Datos, or Spanish Data Protection Agency), or in the case of exceptional transfers, without consent or other exception to the authorization.
And so, the new agreement with the US, negotiated by the European Commission after analysing the situation there, means that the Commission considers that the measures and safeguards offered by the US are sufficient to decide to declare that the new scheme offers an appropriate level of protection. American companies must subscribe to the new scheme.
This agreement will not be applied immediately; they have only communicated the reaching of an agreement to establish new rules which are now said to be ‘safe’. The European Commission has said that in the coming weeks it will prepare a draft of the “Adequacy Finding”. This text will be the object of an Opinion by the European Authorities on data protection and will be submitted to a Committee made up of representatives of the member states, who will definitively approve it if the scheme meets the European standards. It will be at that point that American companies can adhere to it.
What should I do?
Wait until the regulatory text which the American companies must adhere to is approved.
Will this be the same system as the now extinct Safe Harbour?
We can say today that it looks that way.
Can I be fined if I send data to the USA without this agreement being in place or without the prior authorisation of the AEPD?
Art. 44.4.d of the Organic Law on Data Protection (LOPD) states that the international transfer of data to countries that don’t provide the required protection standards without authorization from the Spanish Data Protection Agency (AEPD) may be subject to a fine ranging from 300,001 to 600,000 euros.
By Daniel Santos García
Lawyer and partner of Santos Abogados Asociados