The European Commission and the United States have agreed a new framework for transatlantic data flow, called the EU-US Privacy Shield, after a recent ruling by the Court of Justice of the European Union (the "ECJ") held that the previous agreement, the Safe Harbour scheme, was invalid.
EU-US Privacy Shield
On 2 February 2016, the European Commission announced it had reached a new agreement with the US on transatlantic data exchange. Referred to as the EU-US Privacy Shield, the European Commission, in its press release, set out the following key provisions:
- Increased obligations on companies handling data: Under the EU-US Privacy Shield, companies handling personal data must commit to 'robust obligations on how personal data is processed and individual rights are guaranteed.' In order to ensure compliance, the Department of Commerce will 'monitor that companies publish their commitments, which makes them enforceable under US law by the US Federal Trade Commission.'
- Safeguards on US government access: The European Commission claims that the US has given'written assurances' that the usage of data by government authorities will be 'subject to clear limitations, safeguards and oversight mechanisms.' Surveillance of EU citizens will be used only where necessary and proportionate and 'indiscriminate mass surveillance' has been prohibited. These assurances will be subject to an annual joint review by the European Commission and the US Department of Commerce.
- Accessibility to redress: In addition to the above provisions, the EU Commission has also set out a range of new redress mechanisms available to EU citizens. If companies fail to deal with complaints by a specified deadline, the complaint will be referred to the Department of Commerce and the Federal Trade Commission. Complaints relating to data usage by government authorities will now be dealt with by a new Ombudsman.
The European Commission's next step is to prepare a draft "adequacy decision" and after seeking comments from the Article 29 Working Party and a committee composed of representatives of the Member States, it may be adopted. In the meantime, the US has agreed to begin putting in place the new framework, monitoring mechanisms and a new Ombudsman.
Although the EU-US Privacy Shield still requires final approval, including fleshing out the exact details of the new arrangement, speculation is already rife as to its implications.
The European Commission's Vice-President Ansip considers that it helps facilitate the European Commission's aim of creating a 'Digital Single Market'. He said 'Our businesses, especially the smallest ones, have the legal certainty they need to develop their activities across the Atlantic […] Today's decision helps us build a Digital Single Market in the EU, a trusted and dynamic online environment; it further strengthens our close partnership with the US. We will work now to put it in place as soon as possible.' The British lobby group TechUK, which represents over 900 companies from the UK technology industry, echoed this sentiment commenting 'Businesses large and small across Europe need reliable and affordable legal mechanisms to enable the data transfers that underpin their operations and ability to serve customers.'
However, many other commentators have voiced concerns over the legal and regulatory position of the agreement. In particular, Isabelle Falque-Pierrotin, president of the Article 29 Working Party, has responded to the proposal with reservations.
In terms of what it means for UK businesses now, it is important to remember that the Safe Harbour scheme cannot be used to justify transfers of data to the US. Currently, most businesses are relying on binding corporate rules or EU model contract clauses to justify transfers, although the legitimacy of these justifications continues to be questioned and tested by both some EU data protection regulators and also individuals. Our current view is that it is difficult to see how the new arrangement will adequately deal with the issues raised by the ECJ in the Schrems case. In particular, it is difficult to see how the new arrangement will give businesses the certainty they are looking for about the legality of transferring data between the EU and the US. For now, our advice is for businesses to wait for the details of the adequacy decision before taking any further action based upon the EU-US Privacy Shield announcement.
The debate surrounding the EU-US Privacy Shield serves to demonstrate the continuing challenges of formulating a coherent and cohesive approach to cross-border data exchange.