- On 2 February 2016, the European Commission and United States announced an agreement on a new framework for transatlantic data flows: the EU-US Privacy Shield.
- The EU-US Privacy Shield outlines the framework that will replace the invalid Safe Harbour framework.
Background to original Safe Harbour framework
The European Commission (“EC”) had originally adopted the Safe Harbour framework in 2000, which comprised the Safe Harbour Privacy Principles (“Principles”) and accompanying Frequently Asked Questions issued by the United States (“US”) Department of Commerce. Through Commission Decision 2000/520/EC, the EC recognised that the framework provided adequate protection for the purposes of personal data transfers from the European Union (“EU”) to the US. Thus, the Safe Harbour framework allowed for the free transfer of personal data from EU Member States to companies in the US which signed up to the Principles, despite the absence of a general data protection law in the US.
The Schrems ruling
The genesis of the case was a complaint to the Irish Data Protection Commissioner (“IDPC”) by an individual, Max Schrems, claiming that the transfer of personal data by Facebook Ireland to servers in the US belonging to Facebook Inc. should be prohibited because the personal data was not adequately protected. This assertion was made in light of the revelations by Edward Snowden relating to the US government’s surveillance and intelligence activities over personal data held in the US by US-based organisations. The IDPC rejected the case, but following an appeal to the High Court of Ireland, the case was referred to the Court of Justice of the European Union (“CJEU”). On 6 October 2015, the CJEU issued a ruling holding that Commission Decision 2000/520/EC and consequently the Safe Harbour framework were invalid (“Schrems ruling”).
In deciding the case before it, the CJEU examined Decision 2000/520 and found that, inter alia:
- the EU-US Safe Harbour regime applied only to self-certified US organisations and not to US governmental agencies, which were able to access and process personal data transferred from the EU in a way that was “incompatible with the purposes for which it was transferred, beyond what was strictly necessary and proportionate to the protection of national security”;
- the individual to whom the personal data relates had no means of legal recourse against such actions by the US governmental agencies;
- the meaning of “adequate level of protection” had to be understood as providing a level of protection, by reason of a country's domestic law or international commitments, that was “essentially equivalent” to that provided for in the EU's Data Protection Directive; and
- the EC had not stated that the level of protection afforded to personal data in the US by “reason of its domestic law or its international commitments” was in fact adequate.
After the Schrems ruling, on 16 October 2015, the 28 European DPAs (“Article 29 Working Party”) issued a statement on the consequences of the judgment. The statement made clear that transfers still taking place under the Safe Harbour decision after the Schrems ruling were unlawful. The DPAs considered that alternative tools for personal data transfer, in the form of Standard Contractual Clauses and Binding Corporate Rules, could still be used. Further, the DPAs were committed to take all necessary and appropriate actions, such as coordinated enforcement actions, if no appropriate solution was found with the US authorities by the end of January 2016. Subsequent to that, on 6 November 2015, the European Commission issued guidance for companies on the possibilities of transatlantic data transfers following the Schrems ruling until a new framework was put in place.
New framework announced
On 2 February 2016, the EC and US announced an agreement on a new framework for data flows from the EU to the US: the EU-US Privacy Shield (“Privacy Shield”). The Privacy Shield reflects the requirements set out by the CJEU in the Schrems ruling on 6 October 2015. The new arrangement will provide stronger obligations on companies in the US to protect the personal data of Europeans and stronger monitoring and enforcement by the US Department of Commerce and Federal Trade Commission (“FTC”), including through increased cooperation with European Data Protection Authorities (“DPAs”).
New features of the Privacy Shield
The Privacy Shield includes several new features over the old Safe Harbour framework. The highlights of these new features are described below.
Strong obligations on companies handling Europeans' personal data and robust enforcement
- The Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under US law by the FTC.
- Any company handling human resources data from Europe has to commit to comply with decisions by European DPAs.
Clear safeguards and transparency obligations on US government access
- There will be clear conditions, limitations and oversight imposed on possible access by US public authorities to personal data transferred under the new arrangement, preventing generalised access.
- There will be an annual joint review by the EC and Department of Commerce, to regularly monitor the functioning of the arrangement, which will also include the issue of national security access.
Effective protection of EU citizens' rights with several redress possibilities
- Companies will have deadlines to reply to complaints.
- European DPAs can refer complaints to the Department of Commerce and the Federal Trade Commission.
- Alternative dispute resolution will be free of charge.
- For complaints on possible access by national intelligence authorities, a new Ombudsperson will be created.
The Privacy Shield marks a step towards greater certainty for organisations that transfer personal data from the EU to the US, while ensuring that fundamental rights of Europeans are protected. It also provides relief from potential enforcement actions by the European DPAs, which could have commenced from the end of January 2016 had no new framework been agreed on.
However, the full details of the EU-US Privacy Shield have yet to be fleshed out, and could be dependent on various factors, such as the new administration in the US and further legal challenges in the EU. In the meantime, pending announcement of the full details of the Privacy Shield, European businesses should consider putting in place legal and technical solutions to mitigate any possible risks they face when transferring data to the US. Businesses should also note the Article 29 Working Party’s position that transfers still taking place under the Safe Harbour decision after the Schrems ruling are unlawful.
Establishing a comprehensive Privacy Shield framework would provide the best solution for transatlantic trade because it offers a simpler, less burdensome and therefore less costly transfer mechanism for European businesses. Small and medium sized enterprises, in particular, stand to gain from the new Privacy Shield.