Almost four months after the EU Court of Justice declared the European Commission’s Safe Harbor decision invalid, Commissioner Jourová announced its successor on 2 February 2016: the EU-US Privacy Shield (Privacy Shield). But so far the Privacy Shield is merely a political consensus resulting from long negotiations.
While the progress made by the EU and US must be recognised, the Privacy Shield does not yet pose a solution to transatlantic data transfers nor can it be labelled a new transfer mechanism. In fact, little is known about the contents of the Privacy Shield framework. Without further details and underlying documentation, companies and consumers remain without any real practical guidance on “Safe Harbor 2.0″. At present and at least for the months to come, unamended Standard Contractual Clauses (SCC) and binding corporate rules (BCR) remain the only realistic transfer mechanisms.
The EU-US Privacy Shield: what it means
The Privacy Shield is intended to facilitate the transfer of personal data between an EU data exporter and a data importer located in the US. It is designed as a regulatory two-way street, built from three core elements that will need to be refined in the near future:
- Strong obligations on the data importer and robust enforcement
- US data importers will have to commit to “robust obligations” on how personal data is processed and guarantee the rights of individuals.
- The US Department of Commerce (DOC) will monitor that companies publish their commitment. This will allow the US Federal Trade Commission (FTC) to enforce these commitments under US law.
- Any company processing personal data of Europeans has to commit to comply with decisions of European data protection authorities (DPAs).
- Clear safeguards and transparency for US government access
- Public authorities’ access to personal data for law enforcement and national security purposes will be subject to clear limitations, safeguards and oversight mechanisms. Public authorities should only have access to what is proportionate and necessary.
- The US ruled out indiscriminate mass surveillance on the personal data transferred to the US under the Privacy Shield.
- The Privacy Shield will be subject to annual review by the DOC and the European Commission (Commission).
- Effective protection of EU citizens’ rights and right to redress
- European individuals will have several possibilities for redress against US companies processing their data.
- Companies using the Privacy Shield will face deadlines for responding to complaints.
- Consumers will be able to (in addition to the company) also approach the EU DPAs with their complaints. The EU DPA may refer these complaints to the DOC and the FTC.
- Alternative dispute resolution will be available to consumers free of charge.
- The US will instate an ombudsperson to review complaints regarding national intelligence authorities.
Yet no reason to rest assured
Commissioner Jourová expressed her ambitious belief that the Privacy Shield will be implemented within a few months. In that time, these are the steps to be taken:
- Over the coming weeks, Vice-President Ansip and Commissioner Jourová will prepare a draft adequacy decision.
- The Commission will then obtain advice from the Article 29 Working Party (WP29) and a committee of representatives of the Member States. Given the fierce reactions voiced by various stakeholders and the deviating opinions arising from the Member States, this may well pose a tough uphill battle. CNIL already announced the WP29 expects to publish its analysis in April.
- The Commission will afterwards adopt the adequacy decision.
- In parallel on the US side, preparations need to be made to put the Privacy Shield in place (e.g., appoint an ombudsman, set up a team at the DOC, and finalise the US Judicial Redress Act).
The Privacy Shield may still have a long way to go
In its reaction to the Privacy Shield, the WP29 expressed its concerns on whether the new agreement will be able to guarantee the minimum requirements the WP29 sees fit. Moreover, the WP29 indicated that it can only complete its assessment on the Privacy Shield once it has access to all underlying documents. Therefore, the WP29 has called on the Commission to submit all documents pertaining to the Privacy Shield by the end of February.
The WP29 has stated that they want to see and evaluate all legal documents of the deal by the end of February. Given the work that still needs to be done on both sides of the Atlantic, it remains questionable whether the EU and the US will be able to meet this deadline. In the past days, various EU and US officials named various terms for when the finalisation of the new framework can be expected: from three months to even up to a year.
At least for now, continue to base your transatlantic data transfers on SCC or BCR
While the Privacy Shield is expected to at some point in the future become a viable legal mechanism for transatlantic data transfer, it remains to be seen whether companies will actually be able to rely on it anytime soon. Contrary to what some suppliers allege or imply, the Privacy Shield is nowhere near being able to be executed. Moreover, it will provide for a “living” mechanism that will be reviewed annually. Hence, companies that chose in the future to rely on the Privacy Shield may face the risk of having to re-evaluate their processing on an annual basis. We advise companies for now to continue to focus their efforts on SCC or BCR as the transfer mechanism for all of their data transfers.
Read more in our Legal Alert of 16 October 2015.