On February 2, 2016, the EU Commission announced that it had reached political agreement with the US Department of Commerce (the DOC) on a new framework for transatlantic data flows, branded as the "EU-US Privacy Shield." This new framework will replace the Safe Harbor framework invalidated by the EU Court of Justice in the Schrems judgement in October 2015.1 The announcement by the EU Commission comes two days after the expiration of a deadline set by the Article 29 Working Party2 (WP29), after which, the WP29 warned, individual EU data protection authorities (DPAs) could take enforcement action against companies continuing to rely on the Safe Harbor as a basis for transmitting personal data from the EU to the United States.
Following three months of negotiations, the political agreement has now been approved by the leadership of the EU Commission (the College of Commissioners), which has directed Vice President for the Digital Single Market, Andrus Ansip, and Commissioner for Justice, Vera Jourová, to take the next steps to put in place the new arrangement. According to Commissioner Jourová, "The new EU-US Privacy Shield will protect the fundamental rights of Europeans when their personal data is transferred to US companies."
Although the deal terms have been agreed, the exact language of the new framework is yet to be formally presented to and approved by the College of Commissioners. According to the announcement from the EU Commission, the proposed Privacy Shield is designed to address concerns identified in the Schrems judgement.
Stronger commitments from US companies
- US companies looking to import personal data from the EU will be required to sign up to stronger commitments on how such data will be processed and how individual rights will be guaranteed, which shall be enforceable under US law by the US Federal Trade Commission (the FTC).
- Any US company handling human resources data from the EU must commit to comply with decisions from EU DPAs.
Safeguards and transparency obligations on US government access
- The United States has committed to impose clear limitations, safeguards, and oversight mechanisms on access by US public authorities to imported personal data for law enforcement and national security purposes, and to permit access to personal data for such purposes only to the extent necessary and proportionate to the need.
- The US Government has committed not to engage in indiscriminate mass surveillance on personal data transferred to the United States under the new framework, and will provide that commitment in writing on an annual basis, which will be audited by both countries.
EU citizens' rights and redress
- The new framework will allow citizens who consider that their personal data has been misused to raise their complaints through several channels, including by lodging them directly with the company concerned (who will be required to reply within specific deadlines), the relevant EU DPA, or a newly created Ombudsperson for national security.
- EU DPAs will be able to refer complaints to the DOC and the FTC.
- Alternative dispute resolution will be available free of charge if the other channels fail.
- The new framework will be reviewed annually by the EU Commission and the DOC, which will allow officials on both sides to monitor the functioning of the agreement and make changes as necessary.
The reaction from the industry has largely been positive, with several technology trade groups in the EU and the United States commending the agreement reached, including the Application Developers Alliance, the Information Technology and Innovation Foundation, and DigitalEurope.
However, concerns have already been raised regarding the open language used in the deal, with some questioning the enforceability of the US assurances. Some commentators have warned that the Privacy Shield is likely to be challenged in the short term, both by consumer groups and possibly EU DPAs. Whether any such challenges will be successful will depend on the fine detail of the rules yet to be agreed and the steps taken by the United States to comply with it.
RESPONSE FROM ARTICLE 29 WORKING PARTY
In a statement issued on February 3, 2016, WP29 welcomed the agreement, but reserved judgement on the new framework until there has been an opportunity to review the relevant documents, which will include an assessment of whether the Privacy Shield can meet the concerns raised by the Schrems judgement.
Following an in-depth analysis of the legal status quo and the practices of US intelligence services, the WP29 raised concerns on the current US legal framework as regards the following "four essential guarantees for intelligence activities" to be respected whenever personal data are transferred from the EU to the United States:
- Processing should be based on clear, precise, and accessible rules- Individuals should be sufficiently informed about the status of their personal data to be able to foresee what might happen with their data when they are transferred.
- Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated - A balance must be found between achieving the objective for which personal data are collected and accessed, and the rights of the individual.
- An independent oversight mechanism should exist that is both effective and impartial - Either a judge or another independent body, as long as it has sufficient ability to carry out the necessary checks, should serve as an independent overseer.
- Effective remedies need to be available to the individual - Anyone should have the right to defend their rights before an independent body.
According to the statement, WP29 "stands ready" to analyze whether the Privacy Shield will alleviate these concerns and to what extent this new arrangement will provide legal certainty for the other data transfer mechanisms (Standard Contractual Clauses and Binding Corporate Rules).
WP29 has called on the EU Commission to provide to it all documents pertaining to the new framework by the end of February, in order that it can complete its assessment at an extraordinary plenary meeting to take place in the "coming weeks."
The first task for Vice-President Ansip and Commissioner Jourová will be to prepare a draft adequacy decision, which will set out the new rules, "in the coming weeks." The College of Commissioners will then obtain the advice of WP29 and consult with a committee composed of representatives of the Member States before deciding whether to adopt the adequacy decision and proceed with implementation. However, Commissioner Jourová is reported to have indicated that the new framework could become law within three months.
In parallel with the EU process, the United States will work to put in place the new framework, monitoring mechanisms, and Ombudsman.
IN THE MEANTIME
Despite comments from the US Secretary of Commerce, Penny Pritzker, that the new framework "provides certainty by ensuring that thousands of European and American businesses and millions of consumers can continue to access services online," the concerns of EU and US companies who previously relied on Safe Harbor are unlikely to be alleviated until precise details of the new Privacy Shield are approved.
In its recent statement, WP29 stressed that transfers of personal data to the United States can no longer take place on the basis of the invalidated Safe Harbor framework. Mirroring the concerns of affected companies, the Director General of DigitalEurope, John Higgins, called for EU DPAs to "hold off with any potential enforcement action until the new agreement has been fully implemented" in a statementissued on February 2, 2016.
Stakeholders will therefore be pleased to note that, although WP29 is to consider whether existing transfer mechanisms, such as Standard Contractual Clauses and Binding Corporate Rules, can be used going forward, it has confirmed that these can be relied upon for the time being. This is in line with guidance issued by the EU Commission in November 2015 on permissible means to transfer data from the EU to the United States.3