When the old Safe Harbor program ended in October 2015, businesses were faced with a very serious problem. Without Safe Harbor there were only two remaining legal ways to transfer data from the EU. Binding Corporate Rules and Model Contract Clauses.
Both of these were also under attack from the European Data Protection Agencies, with some DPAs in Germany ruling that they were just as ineffective as Safe Harbor.
Both both are onerous to implement. Binding Corporate Rules take years to gain approval, and Model Contract clauses require agreement with each data subject, or data processor.
For almost a year businesses were left without a legal framework to transfer personal data from the EU to the US. There was however an informal understanding that no enforcement activity would take place during that time, and indeed it ceased.
In July 2016 the EU Commission and Department of Commerce issued a joint statement indicating that after almost three years of negotiation they had reached an agreement. A new framework called Privacy Shield would become available on August 1st 2016.
The importance of Privacy Shield cannot be overstated. In a time of increasing global data transfers it important to have the ability to share data between the US and EU. This could be simply for processing or because a company has data centers located in the US only.
Without Privacy Shield companies would find themselves transferring data illegally, and leave themselves open to lawsuits from data subjects.
While it should be expected that the current version of Privacy Shield will undergo some revisions, it is clear that for the moment is the easiest and best way to allow US-EU data transfers, and is incredibly important for US companies doing business in the EU.