Czech Republic and the EU: New rules for transferring personal data into the USA


This July, the European Commission adopted the eagerly awaited EU-U.S. Privacy Shield. This new framework should provide for the protection of all persons in the EU, whose personal data are transferred into the United States. Furthermore, it should clarify the legal environment for businesses that are engaged in the data flows between the EU and the US.

For many years, personal data transfers to the US too place inter alia on the basis of the European Commission’s decision on the adequate protection provided by the so-called Safe Harbor principles. But this ended when the European Court of Justice in the case Schrems vs. the Commissioner for Personal Data Protection decided in its judgment of 16 October 2015 that the aforementioned Commission Decision No. 2000/520/EC, on the Safe Harbor privacy principles, is invalid. The European Court of Justice confirmed, among others, that despite the existence of said Commission’s decision, national supervisory authorities must have an opportunity to independently verify whether or not the transfer of personal data into third countries complies with the Data Protection Directive No. 95/46/EC.

After the Safe Harbour program was terminated, two other ways to legally transfer personal data into the US were available in addition to the approval of the Office for Personal Data Protection. One was the use of the so-called “Standard Contractual Clauses”, and the other one was the application of the “Binding Corporate Rules”.

The announcement of the EU-U.S. Privacy Shield in July brought the long-awaited third alternative, which, e.g. establishes the list of companies participating in the Privacy Shield program, which have undertaken to respect certain rules when handling personal data flowing across the Atlantic. The list will be regularly updated by the US Department of Commerce, which will also regularly check whether the companies on the list actually abide by the rules they have undertaken to comply with. Companies that fail during these inspections will be sanctioned and delisted.

The United States also promised to improve measures in the field of obligations relating to the transparency in the US Government’s approach to the personal data of Europeans. A part of that commitment is also to provide for new mechanisms of legal protection available to EU citizens directly in the USA. One of these measures is the option to contact an ombudsman at the US Department of State.

One of the basic principles, on which the shield is based, is the effective protection of the rights of individuals. EU citizens who will feel harmed by any misuse of their data within the shield may now use several new procedures for resolving disputes related to it. These include individual complaints lodged directly with companies violating the set rules for transferring personal data. Another option is to contact the authorities for data protection in one’s home state (in the case of the Czech Republic, it is the Office for Personal Data Protection). An ultimate option will then be able to defend one’s rights in arbitration proceedings at the so-called “Privacy Shield Panel”.

The European Commission and the US Department of Commerce also declared that they would regularly review the entire framework once a year, with the participation of national intelligence experts from the USA and European authorities for the protection of personal data.