Our winter 2016 edition of the Employment Law Briefing Newsletter discussed the implications of the Court of Justice of the European Union’s (CJEU’s) decision to invalidate the Safe Harbor framework. Concern about the lack of safeguards to limit the U.S. law enforcement’s access to personal data transferred from the EU was one of the main factors the CJEU cited in its ruling.

Companies relying on Safe Harbor were left in a state of flux because the framework enabled UK employers to legally transfer employment data to the U.S. This was particularly troubling for global employers with UK subsidiaries who transferred employee data to their U.S. head office, and those who used U.S.-based cloud service providers or outsourced their human relations, payroll and other employment tasks to U.S.-based providers. Without adopting one of the alternative methods to legitimise the transfer of employment data − e.g. model contractual clauses (Model Clauses) or binding corporate rules (BCRs) − employers were left exposed to claims from employees regarding the unlawful transfer of their personal data.

The new agreement

Those employers breathed a sigh of relief on Tuesday when the EU and U.S. announced that they had reached a new transatlantic data transfer agreement intended to address the issues which led to the invalidation of Safe Harbor. The new “EU-U.S. Privacy Shield” will once again enable the transfer of employment data from the UK to the U.S. The principle agreements include the following:

  • Strong obligations on companies handling EU personal data and robust enforcement mechanisms. Importantly, any company processing EU employment data will have to agree to comply with decisions by EU data protection authorities (DPAs) in relation to that data.
  • Clear safeguards and transparency obligations on U.S. law enforcement access.
  • Effective protection of EU citizens’ rights with several avenues for redress.
  • A joint annual review that will give EU and U.S. officials the opportunity to monitor the functioning of the agreement and make changes.

The EU Commission is now preparing a draft “adequacy decision” in the coming weeks which will be passed before the Article 29 Working Party − made up of a representative from the DPA in each of the EU Member States (WP29) − prior to it being voted upon. Consequently, the U.S. will also need to make necessary preparations to put in place the new framework.

Next steps

We eagerly wait to see the final details of the agreement to understand how UK employers and U.S. companies will need to comply. The EU Commission has been asked to present all documents to the WP29 by the end of February. The WP29 will then meet at the end of March to come to a conclusion on the Privacy Shield and on whether BCRs and Model Clauses remain valid tools for transfer.

What remains unclear is whether companies should continue their efforts in implementing BCRs or Model Clauses, or wait to see the final agreement and transition to the new EU-U.S. Privacy Shield. In the meantime, the WP29 announced yesterday that until mid-April (which should be approximately the time when the final decision will be made), BCRs and Model Clauses remain valid tools and can still be requested and implemented. It was also confirmed by the WP29 that companies not using BCRs and Model Clauses could be investigated by national DPAs.

We will provide you with further updates in the coming days and weeks as the final details are disclosed. If your HR department would like further advice or in-house training regarding transferring employment data, implementing BCRs or Model Clauses, and the implications of the new EU-U.S. Privacy Shield, please contact the London employment legal team.

For more information on the EU-U.S. Privacy Shield, please see Password Protected's latest post "Replacing Safe Harbor: EU-U.S. Privacy Shield Announced."