This week began like many. An arbitrary deadline came and went - this one, January 31, 2016, was set by the Article 29 Working Party for European and United States regulators to address the void created by the invalidation of the Safe Harbor Framework for EU-U.S. data transfers in the Schrems decision back in October. Many of us had given up hope long ago of any meaningful accord, given the short period of time. Business continued as usual. But speculation ran rampant. Then, as those of us on the west coast had our first cup of coffee Tuesday, we began to receive the barrage of emails and social media notifications from the usual suspects indicating that something had changed. Was there a deal? A Safe Harbor 2? What exactly was it?
Just before 7:30 a.m. Pacific time, the news broke that negotiators had reached a “political agreement” on a new data transfer framework. A few minutes later, EU Commission Vice President for the Digital Single Market Andrus Ansip and Commissioner Vera Jourová held a press conference to announce a new framework, the “EU-U.S. Privacy Shield.” According to Commissioner Jourová:
“For the first time ever, the United States has given the EU binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms. Also for the first time, EU citizens will benefit from redress mechanisms in this area. In the context of the negotiations for this agreement, the US has assured that it does not conduct mass or indiscriminate surveillance of Europeans. We have established an annual joint review in order to closely monitor the implementation of these commitments.”
The press release issued by the EU Commission is here. Many questions remain unanswered, but following is what we currently know about the Shield:
What We Know
As articulated by the Commission, the new arrangement, which has yet to be set forth in writing, will impose stronger obligations on U.S. companies to protect the personal data of Europeans and require stronger monitoring and enforcement to be carried out by the Commerce Department (DOC) and the Federal Trade Commission (FTC), which will include increased cooperation with European Data Protection Authorities (DPAs). It also will include commitments by the U.S. that surveillance activities with respect to personal data transferred from the EU “will be subject to clear conditions, limitations and oversight.”
U.S. companies that want to import personal data from the EU will be required to commit to “robust obligations on how personal data is processed and individual rights are guaranteed.” Companies handling human resources data from Europe will be required to comply with decisions by European DPAs.
There will be several redress options for European data subjects, and companies will be under deadlines to respond to complaints. DPAs will be able to refer complaints to the DOC and the FTC. Further, EU data subjects will be able to submit complaints regarding surveillance to a new dedicated Ombudsperson.
As mentioned by Commissioner Jourová, there will be an annual joint review by the EU Commission and the DOC, which will also include the issue of national security access, and there will be participation from national intelligence experts from the U.S. and EU DPAs.
Statement of the Article 29 Working Party
Today, February 3, the Article 29 Working Party issued a statement. The Working Party welcomed the introduction of the Shield as meeting the deadline set by the Working Party, but indicated that it will need to review the relevant documents “to assess whether it can answer the wider concerns raised by the Schrems judgment as it regards international transfers of personal data.” It called for the EU Commission to produce the relevant documents by the end of February.
Notably, the Working Party expressed ongoing concern regarding the current U.S. legal framework in regards to the four essential guarantees under EU jurisprudence for surveillance activities: specifically, that there must be (1) clear, precise and accessible rules for processing of personal data; (2) a demonstration of necessity and proportionality with regard to the legitimate objectives pursued; (3) an independent, effective and impartial oversight mechanism; and (4) effective remedies available to the individual.
The Working Party makes clear in its statement that it will need to consider whether the Shield will alleviate these concerns. It will also analyze to what extent the Shield provides legal certainty for the other transfer tools (such as Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs)). Further, the Working Party will examine whether the Shield “respect[s] the powers of data protection authorities as laid down in Article 28 of Directive 95/46/EC.”
Also of significance is the Working Party’s highlighting of the possibility of imminent enforcement by DPAs despite the announcement of the Shield. The statement notes that “since the Schrems judgment, transfers to the U.S. cannot take place on the basis of the invalidated Safe Harbour decision” and provides that the DPAs will deal with related cases and complaints on a case-by-case basis.
Once the Working Party receives the documents spelling out the details of the Shield, it will conduct an assessment at “an extraordinary plenary meeting that will be organized in the coming weeks.” After that, the Working Party will consider whether SCCs and BCRs can still be used. However, importantly, those transfer mechanisms remain viable in the interim.
What Happens Next
The announcement of the Shield is just the beginning of the story. As a procedural matter, the College of Commissioners has directed Vice President Ansip and Commissioner Jourová to prepare a draft adequacy decision in the coming weeks, which could then be adopted by the College after it obtains the advice of the Working Party and after consulting a committee composed of representatives of the EU Member States.
Not surprisingly, the Shield is already the subject of criticism from certain European officials and privacy advocates on both sides of the Atlantic. And even if the Shield is adopted, it will likely be the subject of court challenges for many years to come.
U.S. companies should also keep in mind that the Shield only addresses data transfers and is not the only piece of the European privacy legal landscape in flux. The EU General Data Protection Regulation (GDPR) is expected to be enacted this year and take effect in 2018, with tremendous ramifications and changes for U.S. companies handling the personal data of EU data subjects, even in the absence of data transfers. We will continue to monitor developments closely and report them here.