Following speculation that protracted negotiations had been in vain, an agreement on Safe Harbor has apparently been reached. Dubbed the “EU-U.S. Privacy Shield”, the regime will, subject to approval processes, replace the existing Safe Harbor arrangement which was invalidated by the Court of Justice of the European Union on 6 October 2015 in Maximillian Schrems v Data Protection Commissioner (Case C-362/14). The CJEU’s decision cited concerns that Safe Harbor would be disregarded where national security, public interest and law enforcement requirements of the United States came into play, and that EU citizens lacked the ability to seek effective redress.
The news comes as a surprise following the passing of the 31 January deadline, and amendments to the Judicial Redress Act which prompted many to speculate that negotiations would be pushed into further disarray. The finer details of the agreement are as of yet unknown; however, some are already raising questions that cast doubt on its value to businesses.
The Proposal Stating that the new framework will “protect fundamental rights” and “ensure legal certainty for businesses”, an EU Commission press release gives some vague details of the agreement. The new framework will include:
- Strong obligations on companies handling Europeans’ personal data and robust enforcement. Companies will be monitored by the Department of Commerce to ensure that they publish their commitments. This will in turn make them enforceable under U.S. law by the Federal Trade Commission (FTC).
- Clear safeguards and transparency on U.S. government access. This will include an annual joint review of the arrangement to be carried out by the U.S. Department of Commerce and the European Commission.
- Effective protection of EU citizens’ rights with several redress possibilities. These include the ability for DPAs to refer complaints to the Department of Commerce and the FTC, and a new Ombudsperson to adjudicate on complaints of possible access by national intelligence authorities.
Criticism of proposals In a series of tweets put out after the announcement, Jan Philipp Albrecht, MEP for Germany and a prominent figure in the EU Data Protection field, brandished the agreement “a joke”, accused the EU Commission of selling out fundamental rights, and stated that it “puts itself at risk to be lectured by the CJEU again.”
Despite these criticisms, early indications are that the Privacy Shield goes some way to achieving the “Umbrella Agreement” envisaged between the EU and the United States. The framework and other results of the negotiations will improve transparency, introduce mechanisms for EU citizens to gain redress, and provide a narrower scope for U.S. authorities to access personal data.
What does this mean for businesses? At this stage, the “Privacy Shield” is still being forged and its final form is uncertain. Meanwhile, national Data Protection Authorities are due to meet 3 February to decide how they will move forward with regulating trans-Atlantic data flows. There will be an inevitable lead time to the Privacy Shield being implemented in which companies will need to find alternative methods of complying with the restrictions on international transfers of data. Companies that have not plugged this gap risk being subject to enforcement action by Data Protection Authorities.
On first glance, certifying to the Privacy Shield may seem appealing to organisations. It will provide a certain amount of legal certainty and remove the need to implement other methods of achieving adequacy. At the same time, certifying to the scheme is likely to be a demanding and costly process, requiring the implementation of new policies and procedures. Organisations that were previously certified under the Safe Harbor regime will not automatically be certified to the Privacy Shield.
The Privacy Shield will come with additional obligations for those companies that choose to sign up, and the FTC has suggested that there will be a transition period to allow companies to undertake compliance efforts. The EU's press release indicates that the Privacy Shield could come into force within the next three months. That timing may prove difficult to achieve as the European Commission needs to assess the adequacy of the agreement and must seek input on the Privacy Shield from the Art. 29 Working Party, comprising the national data protection authorities of each of the 28 Member States, as well as representatives of each of the EU Member States.
By certifying to the scheme, organisations are also subjecting themselves to the jurisdiction of the FTC – a regulator with far greater fining powers than those currently wielded by the EU Data Protection Authorities. In light of the Court of Justice of the European Union’s decision in October, it is likely that a greater spotlight will be placed on companies than ever existed under the Safe Harbor regime.