The European Commission and the US reached a deal on transatlantic transfer of personal data on 2 February 2016. For the time being it is only a political agreement which is to be transformed into a legally binding text in the coming weeks. Data transfers between the EU and US used to be operated on the basis of a Safe Harbor scheme, which the Court of Justice of European Union (CJEU) declared invalid in the Schrems judgment of 6 October 2015. (We blogged on the case in October 2015.)
The EU - US Privacy Shield – as the new framework is called – comes as a result of four-month long arduous negotiations. The main problem with the Safe Harbor scheme was the possibility of a large-scale access by US national security and law enforcement agencies to data transferred from the EU. The US companies are now under a stronger obligation than under the Safe Harbor to protect the personal data of Europeans. Likewise, the US Department of Commerce and the Federal Trade Commission (FTC) have stronger monitoring and enforcement obligations, including through an increased cooperation with European data protection authorities (DPAs).
The EU – US Privacy Shield prescribes strong(er) guarantees on the part of the US
As it follows from a statement by the European Commissioner for Justice Vera Jourová, the EU – US Privacy Shield is built upon three core goals:
- strong obligations on the US companies handling Europeans' personal data and robust enforcement by the US Department of Commerce and the FTC;
- clear limitations, safeguards and oversight mechanisms concerning the access of US public authorities for law enforcement and national security purposes; and
- effective protection of EU citizens' rights with various possibilities of redress.
As explained by the FTC Commissioner Julie Brill, any EU consumer who considers that his/her data has been misused under the new arrangement will be able to do one of the following: express concerns directly to the company which handles his/her personal data, engage in alternative dispute resolution, evoke direct arbitration, go to their country DPA, or file a complaint with the FTC.
Companies will have deadlines to reply to the complaints received. European DPAs can refer complaints to the Department of Commerce and the FTC. The alternative dispute resolution mechanism will be free of charge. For complaints concerning access by national intelligence authorities, a new Ombudsman will be created.
The functioning of the Privacy Shield, including the access by national security agencies, will be monitored through an annual joint review. The European Commission and the US Department of Commerce will conduct the review and invite national intelligence experts from the US and the European DPAs to participate.
Although reaching the agreement is an important achievement, there are few more steps to make in order for a legally binding agreement to come into force. The EU-US Privacy Shield must now be drafted in the form of an "adequacy decision" by the EU Commission and adopted by the College of EU Commissioners after obtaining an advice of the Article 29 Working Party (WP 29) and after consulting a committee composed of representatives of all EU Member States.
The day after the EU Commission issued the press release on the Privacy Shield, the WP 29 released a statement recalling that transfers to the US cannot take place on the basis of the invalidated Safe Harbor and that the four essential guarantees for intelligence activities, under the European jurisprudence on fundamental rights, are the following:
- processing should be based on clear, precise and accessible rules;
- the intelligence agency needs to be able to demonstrate necessity and proportionality with regard to the legitimate objectives pursued (generally national security);
- an independent oversight mechanism should exist (a judge or another independent body), that is both effective and impartial; and
- effective remedies need to be available to the individual.
There is always a possibility for the CJEU to invalidate the Privacy Shield if the Court finds that the US security agencies are conducting massive surveillance of EU citizens' personal data. However, unlike the situation with the Safe Harbor, which in the opinion of the European Commission in 2013 suffered from important deficiencies in practice, if the European Commission tells the court that American privacy protection is now adequate, it may be harder for judges to determine otherwise.
Repercussions on Montenegro and Serbia
The Montenegrin Data Protection Act (2008) contains a provision to the effect that transfer authorization from the Montenegrin DPA is not required when "… the data is transferred to … countries on the European Union list of countries which have an adequate level of protection of personal data" (Article 42). One of the countries present on the list maintained by the European Commission was the United States, i.e. the Safe Harbor-certified US companies. Based on that provision, it was not necessary to obtain a transfer authorization from the Montenegrin DPA when a Safe Harbor-certified company was the data importer. The same will likely apply if the Privacy Shield comes into force.
The data protection law now in force in Serbia does not contain provisions (on data transfer) similar to those in the Montenegrin law. Even when the Safe Harbor scheme was in force, a Safe Harbor-certification was not enough to persuade the Serbian DPA that the data importer was providing an adequate level of protection. The DPA asked for specific guarantees on the part of the US company, in order to grant a data transfer authorization. Perhaps the DPA would be more forthcoming when confronted with a request to export personal data to a US company under the Privacy Shield framework, because the level of protection of personal data will presumably be higher than under the Safe Harbor. An exceedingly stringent approach on the part of the Serbian DPA would not be business-friendly.