On Tuesday, the European Commission announced that it had reached a “political agreement” with its US counterparts on a regime to replace the Safe Harbor framework, which the European Court of Justice (ECJ) declared invalid in October 2015. The legal wording of a new adequacy decision (the “Shield Decision”) still needs to be drafted and finalised.
Yesterday, the Art. 29 Working Party (the “WP”) published their initial reactions and further guidance on the use of Standard Contractual Clauses (SCC) and Binding Corporate Rules (BCR). The European Commission must take into account the WP’s recommendations, but is not bound by those recommendations. However, if the WP does not agree with the Shield Decision we might expect that national data protection authorities will reject transfers on the basis of the Shield Decision and bring the Shield Decision before the ECJ as quickly as possible.
The WP also stated that data protection authorities will continue to accept Standard Contractual Clauses and Binding Corporate Rules for transfers to the US - at least until they have completed their review of the draft Shield Decision.
The Shield Decision must comply with a number of thresholds established by the ECJ. Some observers, such as Jan Philipp Albrecht, immediately expressed doubts (to put it mildly) that the regime would be sufficient to meet the requirements of the ECJ judgment. The European Commission’s press release addresses these requirements (more or less) in the following elements:
Obligations on companies handling Europeans' personal data and robust enforcement: US companies will need to commit to “robust obligations” on how personal data is processed and individual rights are guaranteed. The US Department of Commerce will monitor whether companies publish their commitments, which makes them enforceable under US law by the US Federal Trade Commission. In addition, any company handling human resources data from Europe must comply with decisions by European data protection authorities.
Comment: “Robust obligations” will need to require US companies to adhere to a level of protection essentially equivalent to Art. 8 (1) of the European Charter of Human Rights, as currently implemented by the Data Protection Directive 95/46, and in the future by the EU General Data Protection Regulation. (cf. paragraph 72 et seq. of the ECJ’s decision). It will be interesting to see if, and to what extent, the current seven Safe Harbor principles will be further elaborated in the upcoming adequacy decision.
Clear safeguards and transparency obligations on US government access: The US allegedly assured that access by public authorities will be subject to clear limitations (access for law enforcement and national security reasons must be “necessary and proportionate”), safeguards and oversight mechanisms. The US has ruled out indiscriminate mass surveillance on the personal data transferred to the US. To regularly monitor the arrangement, the European Commission and the US Department of Commerce will conduct annual joint reviews and invite national intelligence experts from the US and European data protection authorities to participate.
Comment: This addresses the ECJ’s criticism that access to personal data transferred under Safe Harbor was without any “differentiation, limitation or exception” (cf. paragraph 93 et seq.) and that Safe Harbor did not require any compliance by US authorities (cf. paragraphs 82 and 86). It will be interesting to see if the ECJ regards such assurances as a sufficient “domestic law or international commitment”. (cf. paragraph 97).
The WP requested four minimum guarantees in terms of access to data by intelligence agencies:
- processing based on clear, accessible rules;
- access to EU citizen data for intelligence purposes being subject to necessity and proportionality;
- an independent oversight mechanism; and
- effective remedies for individuals before independent bodies.
Effective protection of EU citizens' rights with several redress possibilities: According to the Agreement, citizens who suspect their data has been misused will have several redress possibilities. Companies will have deadlines to reply to complaints. European data protection authorities can refer complaints to the US Department of Commerce and the Federal Trade Commission. Alternative dispute resolution will be free of charge. For complaints on possible access by national intelligence authorities, a new ombudsperson will be created.
Comment: The ECJ noted that Safe Harbor did not include effective legal protection against access to personal data by US authorities (cf. paragraph 89) and that legislation did not provide effective judicial protection. The press release refers to “several redress possibilities”. Whether an ombudsperson alone will be able to provide the necessary legal protection where national intelligence authorities have accessed personal data remains to be seen. Adoption of the Judicial Redress Act will also play a part in ensuring effective legal protection, although whether the draft bill affords the required level of protection is doubtful (see here for more on this).
The Agreement is a welcome step forward in addressing the current insecurities over transatlantic data flows, but a big task is still ahead – adopting an adequacy decision which meets the ECJ’s requirements.
Dr. Reemt Matthiesen