The European Commission and the USA have reached a political agreement on a new framework for EU/US data transfers: the “EU-US Privacy Shield”.
The political agreement was concluded on 2 February 2016 and came after three months of negotiations between the Commission and the US. The deal ends the hiatus resulting from the European Court of Justice’s (CJEU) ruling in October 2015 (in Maximillian Schrems v Data Protection Commissioner (Case C‑362/14)) that the previous framework, “Safe Harbour”, was unlawful. Vice-President Ansip and Commissioner Jourová have now been mandated by the Commission to prepare the necessary steps to put in place the new framework. According to the Commission, the EU-US Privacy Shield reflects the requirements laid down by the CJEU in the Schrems judgment. The new arrangement will achieve this through:
- Stronger obligations on US companies handling Europeans' personal data and more robust enforcement;
- clearer safeguards and transparency obligations on US government access to Europeans' personal data; and
- more effective protection of EU citizens' rights with redress possibilities.
These are explored in further detail below.
As alluded to above, Vice-President Ansip and Commissioner Jourová will now prepare a draft "adequacy decision" for adoption by the Commission. Once adopted by the Commission, the EU-US Privacy Shield would become a part of EU law. This adequacy decision will be subject to review by the Article 29 Working Party (WP29) (the EU entity representing national Data Protection Authorities (DPAs) and a committee composed of representatives of the EU member states). The US authorities will also need to implement the new framework. This process is anticipated to take around three months.
The EU-US Privacy Shield in further detail:
According to Commissioner Jourová, the EU-US Privacy Shield is “fundamentally different to Safe Harbour". The Commission believes that the new framework meets the requirements of the CJEU in Schrems as follows:
- US companies wishing to import personal data from Europe will have to commit to “robust obligations on how personal data is processed and individual rights are guaranteed.” US companies’ commitments will be monitored by the US Department of Commerce and such commitments will be enforceable under US law by the US Federal Trade Commission (FTC). US companies handling human resources data from Europe will also have to comply with decisions by European DPAs.
- The US government has given the Commission “written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms”. According to the Commission, the US has “ruled out” indiscriminate surveillance of EU citizens’ personal data.
- Redress and enforcement mechanisms for European citizens will be extended and strengthened. For complaints on possible access by national intelligence authorities, a new US Ombudsperson will be created. European DPAs will be able to refer complaints to the US Department of Commerce and the FTC. There will also be some form of free alternative Dispute resolution mechanism.
- There will be annual joint EU-US reviews (beginning in 2017) on the workings of the framework. These reviews will extend to national security agencies’ access to personal data.
The WP29 has reserved its judgment on the adequacy of the new framework. It has noted that many of the key details about the EU-US Privacy Shield remain to be outlined. Accordingly, the WP29 has asked the Commission to provide it with all documents relating to the new framework by the end of February 2016. The WP29 will then review the framework and will also consider alternative transfer mechanisms such as binding corporate rules and model contract clauses.
The WP29’s caution about the new framework is prudent. The new framework, for now, exists merely as a political agreement (by way of an “exchange of letters”) between the EU and the US, rather than an international agreement.
Any conclusions about the legality of the EU-US Privacy Shield are therefore premature. Businesses that need to transfer EU citizens' personal data to the US should wait until the WP29’s view is published (most likely in mid-April) before relying on the EU-US Privacy Shield to provide legal protection. The new agreement does nothing to effect the functioning of Safe Harbour. Accordingly, it remains illegal for companies to rely on Safe Harbour to justify transatlantic data transfers.
It is also important to remember that the agreement will require implementation in the US. This may be more difficult in an election year. Given the difference in attitudes towards privacy in the US compared to those in the EU, it remains to be seen whether the US will actually change is domestic legal regime to provide for the framework – the US government may instead be planning on providing the framework through political commitments. Privacy campaigners in Europe have already said that this agreement not likely to stand up to scrutiny by the CJEU.