On Tuesday 2 February 2016, the EU Commission and US Department of Commence announced that they had reached "political agreement" on a new privacy framework for transfers of personal data between Europe and the United States.
The new framework – the "EU–US Privacy Shield" – will replace Safe Harbor, which was invalidated by the Court of Justice of the European Union (CJEU) in October 2015 in the Schrems decision amid allegations of mass surveillance.
The details of Privacy Shield are not yet publicly available. The European Data Protection Authorities (DPAs) will also want to pour over the details of the new framework before giving their approval. As a result, uncertainty regarding transatlantic data transfers is likely to remain for a few more months. Still, this week's announcement is an important development in the future of EU–US data transfers.
The Privacy Shield Framework
In announcing Privacy Shield, the EU Commission stated that it "will protect the fundamental rights of Europeans where their data is transferred to the United States and ensure legal certainty for businesses" and that it reflects the CJEU's recommendations from Schrems. The US Department of Commerce also released a factsheet stating that the Privacy Shield will "significantly improve commercial oversight and enhance privacy protections".
Here are the key components of the new deal:
- Monitoring and Enforcement: US companies that import personal data from the EU will have to commit (and publish) “robust” obligations on how personal data is processed. The Department of Commerce will ensure that companies publish their commitments, and the FTC will ultimately enforce compliance with them (similar to Safe Harbor). In addition, the new framework contains the following important developments:
- US organisations will be subject to the decisions of European DPAs in their handling of human resources data from Europe.
- Increased enforcement action seems likely because of the political focus on the issue and the additional dedicated resources established in the Department of Commerce to oversee compliance.
- New contractual privacy protections and oversights will also be introduced for US organisations engaging third parties or agents processing data on their behalf.
- US government access: The new deal contains assurances from the US that there are limitations and safeguards on US mass surveillance. Privacy advocates in particular, however, worry that exceptions for national security will trump European citizens' privacy rights. An annual joint review process between the European Commission and the US State Department will ensure that the agreement is monitored and adjusted as necessary.
- Redress for EU citizens: This was a key concern for the CJEU in Schrems and an area where there have been a number of new features:
- European citizens can complain directly to any US organisation for violations of the new agreement and the US organisation will have deadlines to respond. Alternatively, European citizens can refer an issue to alternative dispute resolution, free of charge. US organisations will also be required to commit to arbitration as a last resort.
- EU DPAs will be able to refer any complaints they receive to the FTC.
- The State Department will create an Ombudsman to respond to any complaints about access for surveillance purposes.
- It is worth noting that the Judicial Redress Act – currently pending in the US Senate – also gives EU citizens the right to sue in the US for infringement of their privacy rights.
It is not yet confirmed how long those ex-Safe Harbor certified organisations (all 4000+ of them) have to review and self-certify against the new Privacy Shield (should they wish to).
Reactions of the Article 29 Working Party
In the most recent development, the influential body of European DPAs – the Article 29 Working Party (29WP) – gave an initial opinion on the Privacy Shield announcement. Although the 29WP wasn’t involved directly in the negotiations, its views are critical to the feasibility of Privacy Shield and to any potential challenge of the agreement with the CJEU.
The 29WP has welcomed the Privacy Shield, particularly because the EU and US have (just about) met the end of January deadline set by 29WP following the Schrems decision. However, 29WP reserved its position until it has received the full details of the new regime. The question of "legal bindingness" of the new arrangement will be key for 29WP.
The 29WP has also undertaken its own review of the other transfer mechanisms – namely, Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs) – and has concluded that concerns remain. The question for 29WP is whether the Privacy Shield's checks on US mass surveillance are sufficient to allow the other transfer mechanisms to continue.
The 29WP has given the EU Commission until the end of February to finalise all necessary documents, and it will then consider the detail. We expect the 29WP to announce its conclusions towards the end of March or early April.
In the meantime, 29WP confirmed that the other international transfer solutions remain valid in their current form – which provides some certainty for organisations. However, the 29WP did clarify that Safe Harbor is no longer valid and that enforcement actions will be taken against organisations that continue to rely on it.
- Complete internal assessments to identify personal data being collected, used, shared and disclosed internationally.
- Do not rely on Privacy Shield just yet. It’s not an “adequacy decision,” and the details need to be provided and assessed.
- Ensure data transfers are either covered by SCCs or BCRs.
- Prioritise your transfers by reference to volumes and sensitivity of data and consider both (i) intragroup transfers and (ii) transfers of data to vendors
- Unless an alternative transfer mechanism is in place, there is a risk of enforcement action.
For now, we await the conclusions of 29WP and whether the "shine will come off the Privacy Shield".