Since the invalidation of the Safe Harbour Regime in October 2015, organisations have been relying predominantly on EU model clauses to govern their EU-US personal data transfers (or binding corporate rules for intra-group transfers). The Privacy Shield has been drafted to replace Safe Harbour with a view to providing a legally compliant way to transfer personal data to the US. Despite numerous setbacks faced in recent months, the most difficult of which being the fault findning Article 29 Working Party’s Opinion on it, the Privacy Shield was given approval by the Article 31 Committee on 8 July 2016. On 12 July 2016, the European Commission issued its “implementing decision”, pursuant to which the Privacy Shield has been adopted.
The speed of approval is certainly surprising considering the recent criticism, as well as the US government expressing reluctance to renegotiate the Privacy Shield. If it is considered that the European Commission has not taken into account the criticism levelled against the Privacy Shield, it is likely to be used as evidence against it in a future legal challenge. This is all made more complicated by the recent referral by the Irish Data Protection Commissioner to the CJEU on the validity of model clauses.
Privacy Shield gets the green light
On 8 July 2016, the European Commission published a statement (the “Statement”) confirming that the Article 31 Committee, which is made up of representatives of all Member States, had given their “strong support” to the Privacy Shield, which will govern EU-US data transfers. On 12 July 2016, the European Commission issued its “implementing decision”, pursuant to which the Privacy Shield has been adopted.
Interestingly, the Statement makes clear that the Privacy Shield is:
“…fundamentally different from the old 'Safe Harbour': It imposes clear and strong obligations on companies handling the data and makes sure that these rules are followed and enforced in practice.”
The adoption of the Privacy Shield comes after a number of setbacks, the most recent being the European Data Protection Supervisor echoing the criticisms levelled at the Privacy Shield by the Article 29 Working Party; and the European Parliament passing a non-binding resolution, which although welcomed the Privacy Shield, urged the European Commission to continue negotiating with the US government to fully implement the Article 29 Working Party’s recommendations (discussed below). Further, the Article 31 Committee initially failed to reach an agreement as to whether the proposed Privacy Shield provided adequate protection for EU-US personal data transfers in a meeting with the European Commission.
The Article 29 Working Party’s Opinion on the proposed Privacy Shield was given in April, and was particularly critical of it and raised concerns with a number of provisions, ultimately recommending they are reviewed, revised and in some cases strengthened, to afford better protection for EU citizens whose personal data is being transferred outside of the EU to the US. Of particular concern were:
1. the absence of obligations on organisations to delete data no longer required;
2. bulk collection of personal data by US authorities; and
3. the lack of clarity around the new Ombudsperson role - in particular regarding their independence and autonomy and also the nature of their role and functions.
The Working Party recommended that the European Commission should amend the draft Privacy Shield to ensure that the level of protection afforded to EU individuals under it is equivalent to EU law and the Privacy Shield should be reviewed after the GDPR applies from 25 May 2018.
In response to these criticisms, the Statement made clear that:
“…the U.S. has given the EU written assurance that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms and has ruled out indiscriminate mass surveillance of European citizens' data. And last but not least the Privacy Shield protects fundamental rights and provides for several accessible and affordable redress mechanisms.”
Accordingly, the Statement concludes that “consumers and companies can have full confidence in the new arrangement, which reflects the requirements of the European Court of Justice.”
Despite the assurances given in the Statement, the final Privacy Shield may be found wanting. In a statement made on the 12 July 2016y Maximilian Schrems (the original challenger of the validity of the Safe Harbour) he states his view that, “It is little more than an [sic] little upgrade to Safe Harbor, but not a new deal. It is very likely to fail again, as soon as it reaches the CJEU.” Mr Schrems has taken aim at model clauses with the recent referral by the Irish Data Protection Commissioner to the CJEU on the validity of Facebook using them to transfer data from Ireland to the US, and it seems likely that he will look to challenge the validity of the Privacy Shield too.
In terms of next steps, in the US, the US Department of Commerce will start operating the Privacy Shield. Companies will then have the opportunity to review the Privacy Shield framework and update their compliance. Companies will be able to certify with the US Department of Commerce from 1 August 2016.
Organisations should keep under review the options for EU-US personal data transfers. The CJEU will not decide upon the validity of model clauses for some time, but where possible, it would certainly be prudent to consider alternative options to US data transfers, such as moving data centres to the EU, to minimise any adverse fallout of both the almost inevitable legal challenge to the Privacy Shield, and the outcome of the CJEU decision on model clauses. Additionally, it is important to note that the Privacy Shield is up for renewal in 12 months’ time, which will be dependent on the outcome of a careful review by the European Parliament as to its effectiveness. Accordingly, the Privacy Shield is unlikely to provide the answer to all of an organisation’s trans-Atlantic transfer woes on its own, but rather should be considered in the mix together with other compliance measures.
The UK’s position in relation to data transfers will in any event need to be monitored in the context of Brexit (see our earlier Law-Now).
The CMS data protection team provides expert advice on all information security and privacy matters. We regularly provide advice and training to clients on data protection compliance.