With international data transfers left in a state of limbo by the failure to agree a replacement regime to Safe Harbor and the model clauses now subject to questions by the Irish data protection authority, the frustration of businesses wishing to continue transferring data outside the European Economic Area is understandably growing. The current status of the Privacy Shield Regime and Model Clauses are discussed in depth here by our Irish data protection team. In this article we shed light on recent developments which demonstrate there is progress being made to facilitate international data transfers both within the EU and to the U.S.
Umbrella Agreement: transfers and processing of criminal offence data
Since November 2006, the EU and U.S. have been exploring ways that would enable their respective law enforcement agencies to benefit from greater co-operation and exchange of law enforcement information while ensuring the protection of personal data.
On 8 September 2015, the EU and U.S. finalised an agreement on the protection of personal data transferred and processed for the purpose of preventing, investigating, detecting or prosecuting criminal offences, including terrorism, in the framework of police and judicial cooperation in criminal matters, referred to as the "Umbrella Agreement".
The Umbrella Agreement establishes a comprehensive framework of data protection principles when personal data is transferred for criminal law enforcement purposes between the U.S. and the EU or its Member States. Rather than provide a legal basis for the transfer of personal data, the Umbrella Agreement supplements the data protection provisions contained in other existing and future data national data transfer agreements. The Umbrella Agreement includes, for example, subject access rights and an obligation to notify all data security breaches to the applicable authority and, where appropriate, to the data subject.
The final text of the Umbrella Agreement was published on 18 May 2016 and it should be signed during the next EU-U.S. ministerial meeting in June 2016, in Amsterdam. It is hoped that the Umbrella Agreement will address some of the concerns regarding data flows between the EU and the U.S. following Edward Snowden's revelations of mass intelligence collection and surveillance by government agencies in 2013, which could take us a step closer to the agreement of the Privacy Shield.
To see the final text of the Agreement please see here.
EU Member States seek removal of barriers to data flows
On 23 May 2016, a letter was submitted by half of the EU's Member States to the European Commission requesting the removal of barriers to the free flow of data, both within and outside the EU. The signatories to the letter included the UK, Belgium, Denmark, Ireland, Poland and Sweden. The letter states that "It should be ensured that data can move freely across borders, both within and outside the EU, by removing all unjustified barriers to the free flow of data and that regulation does not constitute a barrier to development and adoption of innovative data-driven technologies".
The letter was issued intentionally in advance of the European Commission's presentation on 25 May of the results of its inquiry into the EU Digital Single Market, which is an EU initiative launched in 2015 to enhance and make the EU's digital economy more competitive.
The signatories urge the European Commission to avoid regulations that stifle the development and adoption of new data technologies and to avoid one-size-fits-all regulation for online platforms. The letter also calls for a coherent data protection strategy to be adopted, avoiding duplication between laws on privacy and electronic communications and the General Data Protection Regulation.
To coincide with the 25 May presentation the European Commission issued a press release setting out its proposed principles-based approach to the regulation of online platform providers, including the requirement for comparable digital services to follow the same or similar rules and, where possible, the Commission should reduce the scope and extent of existing regulation.
The Commission will apply these principles in its ongoing review of the e-Privacy Directive, which is expected to complete by the end of 2016, and is expected to outline more of its proposals to deliver a digital single market this month.
To see the letter click here.