Until its invalidation in October last year, many businesses relied on the EU-US Safe Harbor framework as a safe passage for transatlantic data flow. More background available here and here. After months of negotiating, a new deal has been reached, renamed the "EU-US Privacy Shield".
A rose by any other name?
The rebrand is to prevent association with its predecessor and it appears there was intention to add a symbol of protection; the emblem of the new framework is a shield bearing the US and EU flags.
Is it any sweeter? Apparently so - according to Vera Jourová, Commissioner for Justice, Consumers and Gender Equality, the deal is "fundamentally different to Safe Harbor", able to withstand legal challenge, guarantee citizens their fundamental right to protection of personal data, ensure legal certainty for businesses and help build a Digital Single Market in the EU.
The European Commission stated that the new agreement includes stronger obligations on the US side of the pond in several ways:
- US companies must protect the personal data of Europeans and must respond on a strict deadline if an EU citizen has concerns that their data has been misused.
- Stronger monitoring and enforcement by the US Department of Commerce and Federal Trade Commission (FTC), including increased cooperation with European Data Protection Authorities.
- "Binding commitments" by the US that although under US law public authorities can access personal data transferred, such access will be subject to clear conditions, limitations and oversight.
- European citizens can raise any enquiry or complaint with a "functionally independent" new Ombudsperson, resident in the US State Department.
- There will be an annual joint review process by the Commission and the US Department of Commerce, with input from US national intelligence experts and European Data Protection Authorities.
Short term: the ball is in the EU's court as Jourová and Ansip must now prepare a draft "adequacy decision", which can be adopted by the College of Commissioners, after it hears from the Article 29 Working Party. The Americans will also take a few weeks to make the necessary preparations and formalise the commitments.
Mid-term: The Commissioner said the Shield would be up and running as soon as possible and would take just three months to implement. However, the Article 29 Working Party made clear yesterday that they must construct a full legal analysis, including a review of the alternative methods of transfer such as Model Clauses and Binding Corporate Rules, which will take until April (as long as the Commission coughs up the paperwork within three weeks as promised).
Long term: Assurances were also made that the Shield would still be suitable when the General Data Protection Regulation comes into force in 2018. However, the real test will be if it can "hold up in court" to meet the CJEU's high standards; there are already suggestions of people lining up to bring test cases.
What does Europe think?
The Article 29 Working Party is reserving judgement until it sees the paperwork, stating "we can't just accept words" and has questioned the deal's legal format.
So far, Germany and Spain have been the quickest to speak out on the deal. The German data protection authority called it "gratifying" and "hopefully positive", but made clear that the terms will need to be examined very carefully as to whether it can meet the necessary guarantees for legal transfer of personal data to the US from the EEA. Spain's national data protection authority stated that the Commission must consider the new measures and safeguards offered by the US to be sufficient to offer an adequate level of protection.
Doesn't the US still have to play ball?
The US Secretary of Commerce, Penny Pritzker called the new deal a major achievement for privacy businesses on both sides of the Atlantic and stated that the Shield demonstrates a commitment to working together as leaders in the global economy, promoting shared values, and bridging differences where they exist. However, there is increasing speculation about the formality of the deal and it is still unclear whether legally-binding commitments have been made by the US Many, including Austrian student Max Schrems and the Article 29 Working Party, say that without official text, there is no official deal. There is also the added uncertainty of the fate of the Oval Office come November. The main message? This is not yet signed, sealed or delivered.