After a few months of wrangling, there has been a breakthrough in finding a solution to the clear difficulties in transatlantic transfers of personal data. The “Privacy Shield” has been accepted as a framework to address the concerns raised by the European Court when the Safe Harbour regime was declared invalid, but is there really anything yet certain about the new arrangement, and what does it in fact mean?
WHEN DOES THE NEW PRIVACY SHIELD REGIME COME INTO FORCE?
Not yet – the legal implementation of the political agreement has yet to be settled and, until that time, the situation remains as it was.
WHAT SHOULD WE DO TO PREPARE FOR THE PRIVACY SHIELD?
Until the detail is published, data users should not alter their behaviour. Steps which have been, or are being taken to deal with the removal of the Safe Harbour regime – which have been principally focused on the use of EU Model Clauses – should continue.
HOW IS THE REGIME INTENDED TO WORK?
US companies who want to bring personal data in from the EEA will need to make “robust” commitments on protection which will be made public and monitored by the US FTC.
The US Government has given assurances that the EU concerns regarding access to personal data by public authorities for law enforcement and national security purposes will be subject to limitations, safeguards and oversight mechanisms, as well as ruling out indiscriminate mass surveillance. We must wait to see how this is effected into US law. There will be an annual joint review between the European Commission and the US Department of Commerce along with national security experts.
The US will also introduce a means by which EU citizens will have an effective right of redress in the US which has until now been missing – again, we must wait and see how adequate this is deemed to be.
For now, this must be seen as an optimistic step in the right direction to answer the need for a free flow of data across the Atlantic but there is clearly still work to do. For practical purposes, companies should continue to work on the basis that a replacement for Safe Harbour does not yet exist and take appropriate steps to ensure the protection of personal data by other means.