In October 2015, the European Court of Justice (ECJ) ruled that the previous Safe Harbor agreement between the EU and the USA was invalid. Since then, the agreement has no longer guaranteed a sufficient level of data protection necessary for the legal transfer of personal data to the USA (as required by Section 4b para. 2 BDSG (German Federal Data Protection Act)). On the basis of the ECJ's ruling, the joint working group of European data protection authorities (the so-called Art. 29 Working Group) issued an ultimatum for the transition of data transfers to the USA. If no successor agreement to Safe Harbor complying with the ECJ requirements was reached by 1/31/2016, the data protection authorities would begin proceedings against companies which continued to use the old Safe Harbor Principles for their transfer of personal data to the US. In light of this, many companies that had previously relied on Safe Harbor converted to other protective mechanisms for legal transfers of data. To do so, they concluded data protection agreements which included the EU standard contractual clauses approved by the EU Commission, a procedure which had been (provisionally) accepted as legal by the Art. 29 Working Group.
Key points of the new agreement
It still remains unclear what the detailed requirements for a transfer of data to the USA will be under the new "Privacy Shield" agreement. The key points of the new regulations, however, can be outlined as follows: companies in the USA which seek "Privacy Shield" certification "must subject themselves to robust obligations regarding how personal data can be processed and how personal rights are to be guaranteed." The US Department of Commerce will monitor and ensure that "Privacy Shield" certified companies will publish their data protection obligations and the US Federal Trade Commission will enforce them. "Privacy Shield" certified companies must also agree to comply with regulations established by European data protection authorities. Certified companies must attempt to remedy complaints by EU citizens relating to the processing of their personal data within a certain period. EU citizens may submit any complaints which have not been resolved to the responsible data protection authorities, which in turn may refer the matter to the US Department of Commerce and the US Federal Trade Commission. EU citizens may also opt for an arbitration procedure which is free of charge to them. Strict regulations are established for access to personal data by US intelligence and law enforcement agencies in the form of a clear restrictions and also security and monitoring mechanisms. These mechanisms are subject to annual review. An ombudsman will be established to handle complaints by EU citizens relating to breaches of their personal rights by US intelligence and law enforcement agencies.
Recommendations for action
While the details of the agreement remain unknown, international corporations should be cautiously optimistic. At first glance, the "Privacy Shield" agreement seems to be similar to "Safe Harbor" in terms of intra-group cross-border transfers of personal data. As always, however, the devil may be in the details in terms of the wording of the Privacy Shield agreement which is currently drafted. On this basis, we recommend as follows:
- Pay attention to the EU Commission's next steps relating to "Privacy Shield"!While the key points of Privacy Shield may perhaps be similar to the Safe Harbor agreement, as yet unreleased details of the actual text of the agreement may impose comparatively higher requirements and/or more severe legal consequences. In order to determine the best and most appropriate approach of legally transferring personal employee data to the USA, you will have to become familiar with the details of "Privacy Shield".
- Pay attention to publications by the Art. 29 Working Group and European (local) data protection agencies! In its first statement on "Privacy Shield" on February 3, 2016, the Art. 29 Working Group called on the EU Commission to submit the text of "Privacy Shield" for review by the end of February. Until then, the use of EU standard contractual clauses and binding corporate rules for a legal data transfers to the USA will continue to be tolerated, albeit subject to closer examination. Companies that continue to use "Safe Harbor" will be dealt with on a "case by case" basis. This represents a further ultimatum and emphasizes the fact that companies in Europe transferring data to the US should in no case continue to rely on Safe Harbor. It is unclear whether there will then be a further transitional period. We must also assume that the Art. 29 Working Group will play a significant role in the structure and application of the Privacy Shield agreement and will issue decisions and/or statements on the subject. This will give the Privacy Shield agreement a dynamic aspect, which means that it is absolutely vital for its application and any necessary modifications to internal group data protection regulations that any developments be followed closely.
- No further use of Safe Harbor by companies! Companies that continue to rely on Safe Harbor (against recommendations) should immediately consider a move to or add other mechanisms. The Art. 29 Working Group once again emphasized in its statement on February 3, 2016, that no further use of Safe Harbor would be tolerated.
- EU standard contractual clauses and/or binding corporate rules as an alternative? Since it remains unclear whether and how "Privacy Shield" may impose further restrictions in comparison to "Safe Harbor" and since Safe Harbor is no longer an option (see above), the use of EU standard contractual clauses or binding corporate rules is currently the only legal alternative. The Art. 29 Working Group has stated that it will more closely examine these mechanisms' compliance with the requirements of the ECJ ruling, putting their continued legality in question. The group has, however, stated that it will tolerate their use for the time being, meaning that these two options are currently the only legal possibilities. A transition to these mechanisms therefore remains recommended.
We will of course continue to keep you updated regarding any relevant developments and recommendations.