The EU-US Privacy Shield adequacy decision has been adopted by the European Commission on 12 July 2016. This decision replaces the old Safe Harbor Regime (which was invalidated by the CJEU in the Schrems case) and allows personal data transfers to certified recipients in the US. US Companies will be able to certify for the Privacy Shield with the US Department of Commerce from 1 August 2016. In this context, the Article 29 Working Party ("WP 29", regrouping all data protection authorities in the EU/EEA) published a statement on 26 July 2016. Despite strong concerns, the WP 29 will soon provide information to data controllers about their obligations in this respect and grants a period of 12 months to prove the robustness of the Privacy Shield.
The Privacy Shield does thus unfortunately not seem to be an unbreakable shield. Therefore, it may be prudent for companies to rely on other tools for the transfer of personal data to the US, i.e. standard contractual clauses and binding corporate rules, albeit they are challenged as well.
EU-US Privacy Shield principles
As more fully described in our previous newsletter, the EU-US Privacy Shield key principles are:
- Strong obligations on companies handling data: notably regular updates and reviews of participating companies, tightening of conditions for the onward transfers of data to third parties.
- Safeguards and transparency obligations on U.S. government access: the US has given the EU assurance that the access of public authorities for law enforcement and national security is subject to clear limitations, safeguards and oversight mechanisms, the set-up of redress mechanisms (an Ombudsperson).
- Protection of individual rights: implementation of several accessible and affordable dispute resolution mechanisms for individuals. If the complaint is not resolved by the company itself or by way of alternative dispute resolution solutions, individuals can also go to their national data protection authorities, who will work with the Federal Trade Commission, and as a last resort there will be an arbitration mechanism.
- Annual joint review mechanism: monitoring of the functioning of the Privacy Shield by the European Commission and the U.S. Department of Commerce with the assistance of national intelligence experts from the U.S. and European data protection authorities.
Remaining concerns but a wait-and-see attitude for the coming 12 months
Further to the adoption of the adequacy decision on 12 July 2016, the WP 29 published a statement on 26 July 2016 in which the latter highlighted that a number of points of concern remain.
Regarding commercial aspects, the WP 29 regrets, for instance, the lack of specific rules on automated decisions, the lack of a general right to object as well as the lack of clarity on how the Privacy Shield principles shall apply to processors.
Concerning access by public authorities to data transferred to the U.S., the WP 29 would have expected stricter guarantees concerning the independence and the powers of the Ombudsperson mechanism. Regarding bulk collection of personal data, the WP 29 regrets the lack of concrete assurances that bulk collection of personal data does not take place.
Despite their concerns, the data protection authorities within the WP 29 announced that they will proactively and independently assist the data subjects with exercising their rights under the Privacy Shield mechanism and will soon provide information to data controllers about their obligations in this respect.
The next assessment of the Privacy Shield’s robustness and efficiency is planned next summer, at the occasion of its first joint annual review. Given the remaining concerns raised by the WP 29 itself and the strong criticism of for example the BEUC (the European Consumer Organisation) as well as Maximilian Schrems (who introduced the claim on the basis of which the CJEU declared the Safe Harbor invalid), the risk exists that the Privacy Shield will be found to be insufficient. Furthermore, it is likely that court cases will be brought against the Privacy Shield and that the CJEU will have its final say over the adequacy of this new regime. Therefore, we strongly advise companies to continue to use other tools for the transfer of personal data to the US, i.e. standard contractual clauses and binding corporate rules, even when the adequacy of these alternative tools could and most probably will be reassessed and challenged as well.