Further to our blog post in June 2016, the EU-US Privacy Shield has now been operational for over a month. In this article, we consider the practicalities of using the scheme and comment on its future.
Background to the EU-US Privacy Shield
By way of a reminder, the EU-US Privacy Shield provides a framework for EU-US personal data transfers. Privacy Shield is the replacement for the Safe Harbor data transfer scheme, which was declared unlawful by the CJEU in Maximillian Schrems v Data Protection Commissioner. Privacy Shield came into effect on 1 August 2016 and in doing so ended the effective hiatus in EU-US data transfers caused by the CJEU’s ruling in Schrems.
Using the EU-US Privacy Shield
At the outset, it bears reiterating that EU based organisations should not still be relying on Safe Harbor as a means of transferring personal data to the US. As noted above, the CJEU held in Schrems that Safe Harbor did not provide adequate protection for EU-US data transfers. Organisations should by now, amongst other things, have reviewed their standard contractual provisions with any US entities to ensure that data transfers are not subject to Safe Harbor. Colleagues of ours discussed this point last year (see here for further details).
… not using the EU-US Privacy Shield
It should be noted that there are other ways to transfer personal data to the US without using Privacy Shield. Many organisations rely on ‘Binding Corporate Rules’ (BCRs) or EU Standard Contractual Clauses (SCCs) in circumstances where a transfer is made from a UK company to a US-based group company. BCRs and SCCs are, in principle, approved by the Information Commissioner’s Office (ICO) and act as a legally enforceable framework setting out how each company in a group treats the personal data it processes.
There remain concerns about whether the EU-US Privacy Shield meets the requirements of EU law. Most recently, the Article 29 Working Party (WP29) issued a statement in late July expressing its concerns about, for example, “the access by public authorities to data transferred to the US” as it “would have expected stricter guarantees concerning the independence and the powers of the Ombudsperson mechanism”. In light of its concerns, the WP29 anticipates that the “first joint annual review” of the Privacy Shield scheme will be “a key moment for the robustness and efficiency of the Privacy Shield mechanism to be further assessed”. Many believe that there will be a future legal challenge to Privacy Shield and that the CJEU will declare the replacement scheme as incompatible with EU law.
Separately, and as noted in our last blog, the Irish Data Protection Commissioner announced her intention in May to seek declaratory relief in the Irish High Court and a referral to the CJEU to determine the legal status of data transfers under BCRs. This might therefore explain why the ICO has recently said “the area of international [data] transfers is still not free from uncertainty”. Unfortunately, it seems unlikely that this uncertainty will be resolved anytime soon.