The EU-U.S. Privacy Shield (the "Shield") has been announced following political agreement being reached in early February regarding a revised approach to transferring data from the EU to the U.S. following the decision last year that the current Safe Harbour arrangement was inadequate. This followed the revelations of Edward Snowden and a case brought by Max Schrems against the Irish data protection authority about concerns he had about the transfer of his Facebook data from Ireland to the U.S.
The European Commission has now published its draft adequacy decision and the legal texts that will put the Shield in place as well as a Communication summarising the actions taken to restore trust in data transfers from the EU to U.S. This encompasses (i) the reform of EU Data protection rules, which apply to all companies providing services on the EU market, (ii) the EU-U.S. Umbrella Agreement ensuring high data protection standards for data transfers between the EU and U.S., and (iii) the Shield for commercial data exchange which contains obligations on U.S. companies who handle personal data.
The European Parliament approved the reformed General Data Protection Regulation. Given this is a Regulation (rather than a Directive), this legislation will apply automatically in every Member State (without need for additional domestic legislation) when it comes into force in 2018.
The European Commission made the Umbrella Agreement conditional on the U.S. Congress passing the U.S. Judicial Review Act (which it has done), President Obama has also signed it. This has significant consequences for U.S.-based businesses because it means that EU citizens will have the right to obtain judicial redress in the U.S. when their data is mishandled by U.S. authorities.
The Article 29 Working Party (the group of European data protection authorities which include the ICO (the Information Commissioner's Office – the UK's data protection authority) has provided its opinion on the Shield. It broadly welcomes the "significant improvements" made by the Shield and notes that many of the "shortcomings" of the previous Safe Harbour arrangements have been dealt with. However, amidst this praise, the Working Party also recommended that the European Commission should take steps to make sure that the Shield is "clear and understandable for both sides of the Atlantic" and redresses all of the concerns raised by the Article 29 Working Party (and not just most of them), such as the failure to specify certain key data protection principles and a lack of clarity as to the scope, limitations and guarantees in relation to the onwards transfer of personal data received from a Privacy Shield entity in the U.S. to third country recipients.
EU Member States will also have to give their approval to the new measures before formal adoption by the College of EU Commissioners. As such, there is still some way to go before there is certainty about how to transfer personal data between the EU and the U.S.
Whilst uncertainty remains, the ICO continues to recommend that organisations use standard contractual clauses and binding corporate rules to safeguard personal data transferred to the U.S. The ICO has also stated that it will not "expedite" complaints about Safe Harbour while the process to finalise its replacement remains ongoing and businesses await the outcome. Instead they will be guided by the risk posed to individuals and steps that can be reasonably expected of data controllers. Similar statements have been made by the data protection authorities in Estonia, the Netherlands and Sweden. However, the same message does not apply across the EU, with France's data protection authority stating they are investigating businesses using Safe Harbour and that whether or not enforcement powers will be used will be based on their national law.
Indeed, there remain concerns that the new Shield, and even the existing alternate ways to transfer data to the U.S., e.g., binding corporate rules and standard contractual clauses, will be challenged by civil liberties groups, concerned individuals and even data protection authorities as the fundamental concerns about the protection of data may ultimately remain. The new Shield may not even be the beginning of the end of the story.